Why Hackers Do the Things They Do
by Ira Winkler, NCSA's Director of Technology
To almost all computer professionals the actions of hackers are
despicable and justify all sorts of nasty punishments. I fully agree
that hacking is a criminal offense and should be prosecuted. The only
thing that bothers me from a moral standpoint is that these criminals
are essentially the cyberspace equivalent of teenage vandals. They do
not know the implications of what they are doing. These people are
displaying situational morality, and their actions are random, yet
predictable.
Let me say up front that when I mean hackers, I am specifically
referring to people that intend to intrude into computer systems with
the only intent of intruding into the system. I am not referring to
people with clear criminal or malicious intent. These are people that
say they do it for the sake of curiosity and to learn. I do not buy
into this argument. There are laws that clearly define an uninvited
attempt to even access a computer as a crime. While some people may
argue if it should be a law, the point is irrelevant. These hackers
generally seem to obey the law, and tend to be good students, the type
that cause parents to be proud. Why then do they commit these computer
related crimes as an obsession?
I believe the issue goes back to how they are raised. I am not saying
that these people have bad parents. I contend that while parents go
around telling their children not to do drugs, to study hard in
school, etc., they do not tell their children that it is bad to break
into computer systems. Parents don't think of discussing it. This
leaves teenagers to learn the morals of computer hacking on the
streets, and in this case, cyberspace. They learn about hacking on
bulletin boards, chat lines, etc. Are there established experts in the
field on these forums to discuss the moral issues of hacking? Clearly
not, they don't have the time or desire to associate with these
people. The hackers therefore learn their morals from other hackers.
The hacker morality has been developed over the years to be
self-serving in justifying their actions. Newcomers to the community
learn the morality by associating with established hackers. There is a
desire to impress each other, and there is an awe about their heroes,
such as the Legion of Doom and the Masters of Deception. Are their
heroes criminals? Not to the hackers. They are political prisoners for
"knowing to much," or at least that is what everyone is telling them.
There are no established security experts visible to the general
population to let the hackers know the actual damage that these people
created or the real criminal actions that they committed.
Hackers also do not know about the costs associated with their
actions. All studies indicate that hackers are generally young, and do
not have full-time jobs or own property. They do not consider that if
they do get into a system and make an unintentional, simple mistake,
they could cost the company thousands, and possibly millions, of
dollars. I would dare say that every computer professional, including
the best, have made a mistake that has caused the loss of data,
service or money. Hackers have never been in a real situation to
understand this issue. They do not know what a System Administrator is
faced with on a day-to-day basis, and neither do they realize the
extent of the problem they cause for already overworked people. They
also do not comprehend that a company detecting an intrusion must
investigate to see the extent of it. This has a cost of thousands of
dollars associated with it.
Hacker morality says investigating intrusions is a cost of doing
business, and it is the company's fault for having poor security.
Hackers, as individuals, have never had to balance limited resources
themselves, and cannot empathize with others.
There is also a more threatening aspect of hacker morality; there are
many variations of it. Some hackers believe that it is all right to
punish people and companies that they do not like, while others find
the action reprehensible. Others believe that it is all right to steal
money and resources, if it goes to support hacker actions. This is
very dangerous. Even though many hackers might disagree with these
types of actions, they will not "snitch" on others, which is
considered the most reprehensible thing that a hacker could ever do.
In my opinion, all of these attitudes come from the same source; a
morality that is learned from other hackers, without role models from
the legitimate information security community.
While it is wrong to stereotype hackers as evil people with malicious
criminal intentions, they cannot be stereotyped as benevolent freedom
fighters as the hackers like to see themselves. Hackers must also
realize that the actions of criminals will always reflect poorly on
the hacker community as a whole, until the hacker community tries to
police itself, which will never happen. Their actions are by
definition, criminal. They can suffer repercussions, which include
being criminally prosecuted and ostracized by the information security
community.
The information security profession must also be more visible in a way
that gets children, before the hacker community gets them. Hacking can
be very exciting for a teenager who can be considered a hero by
others. Somehow the profession must get together to teach parents and
schools that they must teach their children about hacking, before
somebody else does.
The ideas expressed here are the author's alone. If you have any
thoughts or comments on them, feel free to write winkler@ncsa.com.
______________________________________________________________________