We must learn how the hackers think

Indicting The Israel Criminal Banking Network
Mass outrage: ‘They will be buried by laughter’

The roster of hack victims over the last two weeks has been spectacular: the International Monetary Fund, the Central Intelligence Agency, Sony, the Turkish government, Citibank and the US Senate inter alia. If it wasn’t obvious before, events in cyberspace have made it abundantly clear: there are only two types of company in the world – those that know they’ve been hacked and those that don’t.
Warnings about hacks, cyber-espionage and cyber warfare have become so cacophonous as to render this already arcane area almost unintelligible. Even so, as an individual or as a company, you now have little choice but to educate yourself. If not, the consequences are all-but certain to be serious.
Here, the private sector has a patchy record. This week’s many victims even included two cyber security companies, whose American customers included the Federal Bureau of Investigation. Embarrassing would be an inadequate description. It is axiomatic that companies should have the security of their electronic networks at the top of their agenda. The days when corporate technology was run by disgruntled geeks in the basement – as in the British sitcom The IT Crowd – should be over.
Yet while companies all too often ignore the problem, governments are panicking. To combat threats from cyber-thieves and cyber-spies many have introduced rafts of ill-conceived legislation. They are also pouring money into bureaucratic structures – with numerous new military “cyber-commands” popping up – and into the coffers of security companies claiming to offer salvation.
Despite these measures, networked computer systems have never been more vulnerable. Rather than panicking, however, we now need to understand the problem. The first task should be a sober assessment of the threats – an assessment that can lead in surprising directions.
For the companies that manage the infrastructure of the web, and also for many small businesses, the web’s biggest problem is not cyber attacks but the spam that now makes up 90 per cent of all e-mail. True, it is not an especially sexy problem. It comes without apocalyptic vision of “cyber-geddon”, in which aircraft fall out of the sky, and so it receives little attention. But it still imposes major costs and requires serious attention.
More generally, internet security cannot be solved by technical and legislative ploys alone. Instead, we need to understand the shifts now affecting the social structure of the online world. The most spectacular hacks carried out in recent weeks were not perpetrated by criminals or spies but by two informal groups: Anonymous and LulzSec.
What scant intelligence exists about them suggests their members are scattered across Europe, the US and beyond. Their messages suggest that they are motivated by an inchoate ideology that is suspicious of the state and corporations. They appear exercised by individuals or institutions who seek to curb internet freedom. Most of their members are thought to be young men, aged between 16-24. This is the generation that grew up with the internet and which cares little for what their elders think about online security. Indeed, this is a battle of an ageing culture against a youthful one – and it is a fight in which youth seems to have the upper hand.
This battle is not new. Over the past 10 years, at the behest of lobbyists from the music and film industries, governments have sought to curb the illegal downloading of music and movies. They have failed. Most of us aged 40 and above still pay for our albums and DVD boxsets. But the younger generation does not pay and will not pay.
Groups such as Anonymous and LulzSec will only proliferate as more young people turn to the web to express their idealism and their frustration with a political culture deaf to their concerns. Yet the establishment has just one response – treat them like criminals, hunt them down and throw them in jail.
If this continues, the hacking we have seen in recent weeks will continue too. But even as the threats proliferate, the security industry complains of a dearth of good specialists able to understand the technology and psychology behind hacking. Most hackers develop their skills while in their early teens. So it is time to seek them out, by identifying them while they are still at school, while still allowing them to experiment and absorb hacker culture. And then recruiting them.
Sifting our classrooms for the hackers of tomorrow sounds a little drastic. But this is the norm in emerging cyber powers such as Russia, China and Israel – and whether we like it or not, we are competing with them. We need not resort to the blackmail and bribery of authoritarian states. Instead, our governments can offer positive incentives, so this new generation of digital natives – many of whom will, in any event, develop advanced hacking skills – can put their unusual abilities to good use.
The web’s value lies in its interconnectedness, yet threats to web security lie in that very same interconnectedness, too. So not only do we have to take the narrow issue of security out of the IT Crowd’s basement and into the boardroom but we also need to understand the broader context of this profound social, economic and legal change.
Making the internet secure is not a matter of cops and robbers but of understanding a younger generation exploring every nook and cranny of the web. If we fail, and regardless of how many laws we pass, the last two weeks of spectacular hacking will seem tame by comparison.
By Misha Glenny
June 17, 2011 7:52 pm
The writer is author of the forthcoming book DarkMarket: CyberThieves, CyberCops and You