Trying to make the generalist media understand the difference between ‘hackers’ on the one hand and common criminals, intelligence operators and military, and security experts on the other is a losing battle. Many have tried over the years but without success. The cliché of the acne-ridden 15-year-old who ‘hacks’ NASA or the Pentagon moved on to the ‘hooded sociopath’ iconised by Mr Robot. There are many variations on the theme because the phenomenon is made even more complex by a certain unscrupulousness of those operating in the market that is now called ‘cybersecurity’ by Andrea Monti – Initially published in Italian on Strategikon – an Italian Tech BlogLet us start with the basics. The best, though not the only, definition of what hacking is was proposed by Richard Stallman, the creator of the Gnu Project.
In a nutshell, hacking is a state of mind. It means thinking outside the box, being clever and having fun doing it. Hackers usually have little respect for the silly rules administrators like to impose, so they try to get around them. So, there is a distinction between hacking and security breaches that Stallman calls ‘cracking’. He further writes: people who do this are ‘crackers’. Some of them may also be hackers, just as some of them may be chess players or golfers; most of them are not.
Although essentially agreeable, this definition lends itself to some critical remarks. For instance, it is based on a fundamental disregard for the established rules and the ‘right’ to decide what is correct or not. One example is the intellectual self-acquittal of unauthorised access. Whether a security breach is wrong depends on what the perpetrator makes of the ‘forbidden’ access he has gained. Hurting people is bad; entertaining the community is good.
Computer crimes provisions rightly deserve criticism. However, grounding the criticism on ethical beliefs by reasoning in terms of ‘good’ and ‘evil’ is a mistake. Even in a western democracy, the purpose of norms is to limit people’s behaviour. It allows a peaceful coexistence – ne cives ad arma ruant (to prevent people from taking up arms) – as it is said in the world of law. Therefore, challenging a law must be done by democratic methods (political commitment or referendum) and not by violating it in the name of individual creeds. Or, better, as the political battles of the 1970s in Italy taught us, the law can be infringed by being prepared to suffer the consequences, thus pushing for its change. It is worth suggesting that those who do not remember that they read Marco Pannella‘s biography.
As it is easy to see, however, there is no necessary relationship between the concept of hacking as a cultural and intellectual claim and the profile of a cybersecurity practitioner. As Stallman writes about crackers, security experts may well be hackers, but there is no two-way equivalence. This has little to do with the word hacker and a lot with how the cybersecurity market is developing.
The gain in terms of status or visibility built around an almost mystical image of an ‘entity’ endowed with supernatural powers that belongs to a mysterious and elitist community is self-explaining. The reality is much less glamorous, and often those who call themselves – or let others call them – ‘hackers’ have little title to do so. Perhaps one possesses a good technical skill built on ‘do-it-yourself’ or preferred a console to a football as a child. In the worst cases, one has merely read something out to present oneself as one of ‘those in the know’, repeating the same things at every opportunity.
There is nothing wrong with not having lived through the golden age of microcomputing, Bbs and the dawn of the internet. Even if his first computer was a Pentium II, one could be a hacker, just as one can become an outstanding security professional without necessarily endorsing a specific philosophy. As much as cybersecurity clearly needs ingenious people capable of finding unconventional solutions to seemingly unsolvable problems, it is even more in need of skilled and trained professionals capable of operating in complex organisations.
An armed force comprises soldiers who must follow orders without question and people who have a very high degree of preparation and autonomy (regiments and special corps). There must be a reason if the latter are (extraordinarily) fewer than the former. But this does not mean belittling the role of those who are not part of more exclusive realities.
However, what matters is being clear about one’s status because, even in cybersecurity, confusion often causes irreparable damage.