In it for the LOLs We need to understand hackers, not just lock them up, says Milo Yiannopoulos
The world of the ‘hacker’ sounds terrifically exciting, if a little nerdy. We typically think of characters like Boris Grishenko from the 1995 Bond movie GoldenEye: wiry Russians with dextrous, pen-twirling fingers, intergalactic-sized brains and amazing ‘cyber skills’. The reality of hacking can be more prosaic: some of the most successful hackers in history have been more like estate agents than autistic basement-dwelling geniuses.
Kevin Mitnick, author of Ghost in the Wires, says that his greatest skill was ‘social engineering’, not programming: he manipulated people into giving him access codes and information by impersonating authority figures, often simply over the phone or via email. Mitnick was able to squeeze out personal information about FBI informants through a combination of homework and chutzpah. ‘People, as I had learned at a very young age, are just too trusting,’ he says.
That’s not to say that there isn’t some sophisticated digital wizardry going on out there, as the expert on this subject, Misha Glenny, explains, in terrifying detail, in his 2011 book DarkMarket. Money, he says, can be ‘stolen by a Russian in Ukraine from an American company and paid out in Dubai — and the whole transaction need last no longer than 10 minutes’, reminding us that cybercrime operates so fluently across geographical borders that international criminal agencies can barely even reconstruct the architecture used to illegally transfer money and data, less still police it.
Th a t m e n t i o n o f m o n e y shouldn’t mislead you into thinking that hackers are only in it for the cash. They do it for the challenge: for the thrill of solving puzzles and cracking a combination of human and digital systems. They also do it simply to amuse themselves:‘for the LOLs’, as they say on the internet. The motivations of hacker groups can be scarier than those of traditional organised crime syndicates, because sometimes it can seem as though their only real motivation is to cause havoc. As Mitnick puts it: ‘There’s always something that’s more challenging and fun to hack.’
Hackers are a very unique sort of criminal, often socially awkward and introverted. Under other circumstances, they would find the idea of joining any sort of gang intimidating. Yet, online, protected by the distance afforded them by digital technology, they coalesce into groups with odd names like Anonymous, LulzSec and The Cult of the Dead Cow.
They’re people who learned their hacking skills in their early to mid teens — in other words, before their moral compasses were fully developed. Unusually gifted at maths and the sciences, they tend to be people who do not demonstrate many social skills outside the digital world, with personalities consistent with Asperger’s syndrome. These social disabilities become assets in the online world.
Any and all industries are potential targets for hackers who are either addicted to mischief and problem-solving or who become seconded into online gangs for financial gain. As these underground communities become more complex, ‘off the shelf’ software that, for example, clones credit card numbers gets offered up for sale in escrow marketplaces. You can now buy ‘carding’ software as easily as you can a copy of Windows.That’s why so many professional carders aren’t particularly sophisticated hackers: they no longer need to be.
As a result, many criminal justice systems see hackers as simply another kind of criminal. Glenny thinks that’s short-sighted: given the flow in both directions between security consultancies and the digital criminal underworld, he reckons that we should be engaging with hackers, not simply locking them up.
Actually, that’s been going on for some time already, particularly in China.And when governments get involved in hacking, you start to see the terrifying possibilities of malicious digital activity in a world almost entirely reliant on software. On 1 June, we learned in the New York Times that, just two months into his administration, President Obama had ordered ‘increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities’: an order that resulted, it is thought, in the creation of the Stuxnet virus. Today, Stuxnet is available for anyone on the internet to download and modify. In an online environment where so many hackers are in it ‘for the LOLs’, that should give us grounds for fear.
Businesses aren’t any safer. Misha Glenny likes to joke that there are two types of companies: those who know they’ve been hacked, and those who don’t. The reality is that both companies and governments are deficient when it comes to protecting their data. That’s the value, researchers at the UN’s Hacker Profiling Unit say, in understanding the psychological make-up of hackers, because in order to hire them, you have to understand what makes them tick.
A lot of money is being spent on cybersecurity by today’s corporations, but there isn’t a great deal of human intelligence brought to bear on one of the greatest challenges the world will face over the next decade: how to engage and negotiate with a generation of brilliant, mischievous computer obsessives, some of whom want little more than to see the world burn.
The Cyber Threat | 30 June 2012 | in association with BAE systems DETICA From our sponsor
The fight that never ends Martin Sutherland, Managing Director of BAE Systems Detica, outlines the cyber threat
Why are we talking about cyber-security now? After all, in many ways, this is not a new problem. People have been using computers to steal credit card details and hack into online bank accounts for years now.And other people have been defending against them for just as long. The first firewall was invented in 1988 and antivirus programs were introduced at around the same time. So, haven’t we had this conversation before?
The answer is simply that cybercrime is getting more pervasive, and more threatening, by the year. It can never be ignored. Whereas cybercrime once used to be largely about individuals targeting individuals, it has now been industrialised. Nation states, and the corporations around them, now use cyber-espionage for their own economic ends. Their thinking is that if you can steal a march on your global rivals by stealing their information, then — why not?
Obviously, this has grim consequences for the countries and companies who are the victims of cybercrime. Working with the Cabinet Office, BAE Systems Detica last year put a figure on the annual cost of cybercrime to the UK: £27 billion. That is to say, the economy is £27 billion a year smaller thanks to the actions of cybercriminals, taking confidential information and industrial secrets. As the country struggles for growth, this is not something that can be ignored.
Thankfully, the government is not ignoring this pervasive problem. Its National Security Strategy includes ‘cyber attacks’ as one of only four ‘Tier 1’ threats. The budget for cyber-security is being increased by £650 million over four years, making this one of the few spending areas that is dodging the cuts.
Cyber-security ought to be a national priority — and, thankfully, it now is.
But it is more difficult for businesses to recognise and to confront the problem. Part of the reason is the nature of what’s being plundered. If you have your wallet or your laptop stolen, then you can see that it has gone. But if someone steals your information, then you still appear to have it. This, along with the highly covert methods used by cyber-criminals, means that many businesses are not aware whether they have been raided at all. It’s a threat that is difficult to grasp and as a result it makes the real risk far harder to assess and measure.
Awareness of cybercrime does seem to have risen. We’re seeing this become a boardroom issue
Awareness of cybercrime does seem to have risen over the past 12 months, however. Increasingly, we’re seeing this become a boardroom issue.There was a time when executives might have thought: ‘IT security? Haven’t we got a techie in the basement to deal with that?’ But now, with the vast amounts of intellectual and financial capital that can be lost because of it, this approach is less viable than ever before.
But awareness is not all that matters. When a business does recognise the threat, they still have various trade-offs to make to defend against it. If it was simply a case of being entirely secure from computer attacks, then they could revert entirely to pen and paper. But this is impracticable for almost all offices nowadays. They need some degree of computerisation and networking — and that means that they need cyber-security too.
And t hen t he question a r i s e s : just how much cyber-security do they need? Obviously, the answer varies according to numerous factors: the size of the business; the nature of their work; and so on. But for many businesses there is one consideration above all others: cost. Spend millions, and you can be relatively confident about your security. Spend hundreds, and that is less the case. This is perhaps the most unforgiving trade-off of all.
The persistent challenge for the cybersecurity industry is to make their technology better and more affordable at the same time. Big banks and big corporations may be able to afford the tightest security, but small businesses cannot. And the sad fact is that small businesses are attractive targets for cybercriminals too, because they are where a lot of the innovation happens. Ideally, the start-up company in someone’s garage needs to be just as vigilant as a Goldman Sachs.
Cybercrime is a problem that will never go away. This is the nature of our world, as more and more of our everyday life takes place in the digital sphere.And it is also the nature of our enemy. Provided information is valuable — and it always has been — there will be people looking to steal it. As cyber-security becomes more and more sophisticated, so too will the methods used to get around it.
Which, returning to the original question, is exactly why we should always talk about cyber-security — and why businesses should think about it constantly. If there’s one piece of advice we always give it is for businesses to consider those tradeoffs. What needs to be secure? Can those things be secured at a reasonable cost?
www.spectator.co.uk | 5 February 2011 | Britain’s Skills Crisis in association with BAE systems DETICA | 30 June 2012 | The Cyber Threat