Real Hackers Don't Wear Hoodies (Cybercrime is Big Business)
Most people probably have an idea about what a hacker looks like. The image of someone sitting alone at a computer, with their face obscured by a hoodie, staring intently at lines of code in which their particular brand of crime or mischief is rooted, has become widely associated with hackers. You can confirm this by simply doing an image search for "hackers" and seeing what you come up with.
After decades of researching hackers, I've decided that this picture is distorting how people need to see today's threats. It makes some very misleading implications about the adversaries that people and businesses need to focus on. It's a mistake to take the old "hacker-in-a-hoodie" stereotype and think it applies to the cyber crime and nation-state attacks we're facing today.
When I see a news article with a stock photo of a hacker-in-a hoodie, I feel like I'm being lead to believe that hackers work in isolation. And that hacking is a hobby one indulges in when they're not working or studying. My takeaway from this image is that hackers are portrayed as pursuing a casual interest rather than working to achieve goals. But the idea that such unprofessional adversaries are responsible for things like Stuxnet or ransomware is incredibly naïve. Why don't we see pictures of hackers wearing a suit and tie? Or a uniform?
Hacking is now a marketable skill that's commodified as products and services, and sold to criminals, companies and governments. Hackers now have their own networks, both technical and social, that they use to buy, sell, and trade hacking services and malicious software. They pool resources and coordinate efforts, giving threats far greater capabilities than any individual hacker could develop on their own. After all, there wouldn't be an exploit industry enabling cyber attacks if it weren't for the networks connecting hackers, companies, governments, and other organizations.
Cyber crime has industrialized hacking. It's created structures for hackers to operate within, and objectives (usually financial) to achieve. We are aware of several organized cyber crime gangs that have made tens of millions of dollars in profit with their attacks. And now, with nation-states becoming increasingly active participants in the threat landscape, we're only going to see more growth and opportunities in hacking.
In the past year I've been speaking about the potential existence of Cyber Crime Unicorns - cyber crime ventures that could be valued at over one billion dollars. I can admit the comparison is problematic because a criminal enterprise could never be valued in the same way as a legitimate business. But comparing today's hackers with the old stereotypes is even more problematic. The hacker-in-a-hoodie is a great picture of the hobbyist hackers from the past, and it's still relevant today when discussing hacktivist groups like Anonymous. But the Cyber Crime Unicorn represents the relatively unimpeded growth of cyber crime, which is a far greater threat. Continuing to perpetuate the stereotypes allows the hobbyist hacker threats of history to distract us from the cyber threats of today, and ignoring such misdirection will only cause problems in the future.
I'll be discussing these topics, and how they apply to open source systems and to service providers further in my keynote ("Complexity: The enemy of Security") at the OPNFV Summit in Berlin on June 22-23. See you in Berlin!
Mikko Hypponen is the Chief Research Officer for F-Secure.