Stereotyping is very dangerous in investigations, particularly in the field of information security.
The media in the past have portrayed the average computer criminal as an adolescent teen, who is highly intelligent, highly skilled, an under-achiever at school, with limited social skills and no or few friends. This perception was at least partially reinforced by the 1983 film, War Games. In the film, the teenage character unwittingly breaks into the North American Aerospace Defense Command (NORAD) and nearly triggers World War III. The tagline of the movie sums up the sentiment of the day regarding computer crime, "Is it a game, or is it real?" In the 80s and early 90s this stereotype was near valid, though there are some notable exceptions.
However, today we have a much more diverse field of threat actors:
- Computer criminals, 'hackers'
- Organized crime sponsored computer crime
- State sponsored information warfare
- State sponsored economic espionage
- Company sponsored economic espionage
- Information brokers
- Virus writers
There has been a move in the media and among information security professionals away from the pure term 'hacker.' We are now trying to differentiate between good actors and bad actors with terms like: black hat, gray hat and white hat. Why do we need to use terms like black hat or hacker (modern usage)? Why do we stray away from using a term like: computer criminal? The very basic question is, "Has someone committed an offence against the criminal laws of the land?" In our opinion, the terms black hat, grey hat and hacker confer a less serious tone on a criminal act. Many of today's threat actors have moved on from the days of youthful pranks and simply browsing systems to outright criminal activity.
On the subject of terminology, Dr. Gene Spafford, professor of computer sciences and philosophy and director, CERIAS at Purdue University (Indiana) believes, "Hats are obvious, behavior isn't. And what is white to one person may be gray to another."
According to whatis.com, black hat is used to: "describe a hacker (or, if you prefer, cracker) who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers and/or the public without notifying the victim. This gives others the opportunity to exploit the vulnerability before the organization is able to secure it." Quite possibly the most dangerous computer criminal to an organization is the gray hat. These are often times information security 'professionals,' protecting corporate systems from intrusion by day and breaking into systems as a hobby. These individuals can be quite dangerous to the careers of the managers that hire them and the reputation of the companies for which they work. Should the activities of these individuals come to light there can be a substantial public relations issue as a result.
Redhat.com defines a gray hat as someone who "... has the skills and intent of a white hat hacker in most situations but uses his knowledge for less than noble purposes on occasion. A gray hat hacker can be thought of as a white hat hacker who wears a black hat at times to accomplish his own agenda."
Would you hire a black hat or continue to employ a gray hat?
There has been much discussion in the media on the subject of hiring former hackers to protect your infrastructure. In the past, there have been numerous instances of convicted hackers being hired by companies to protect information resources. Also, the more notorious computer criminals have the option of joining the lecture circuit or writing books. Industry appears to have come to its senses with regard to hiring hackers. According to Dr. Dorothy E. Denning, professor of computer science (http://www.cs.georgetown.edu/index.html) and director of the Georgetown Institute for Information Assurance at Georgetown University (Washington, D.C.), "I think there is greater reluctance to hire them now, plus the job market has changed, so that those with a questionable past will have a hard time finding a job."
In today's legal climate, there is also the issue of corporate liability. Knowingly hiring a computer criminal may expose the company to unwanted legal issues, especially if the individual in question returns to their old ways. Dr. Spafford asserts: "If an incident occurs, attention will be focused (rightly or wrongly) on the former baddie. This will undoubtedly call the employer's judgment into question. In fact, it may be grounds (in the U.S. at least) for a shareholder lawsuit, or government sanction. It is also poor publicity. Insurance companies may not cover losses in such cases because the employer did not show due care."
Do computer criminals have the proper skill set to protect your infrastructure?
As we have noted, companies have in the past hired hackers or brought them in as consultants to secure their infrastructure. But do they have the right skill set to harden your systems effectively? The information security professional must have a wide range of skills not just the ability to harden systems. According to Dr. Spafford: "The majority of systems are poorly written and configured. The skill level required to break into them is minimal, especially with all the rootkits and newsletters with exploit information freely available. As such, many of the people with pasts have minimal skill at anything other than downloading attack tools and running them. Thus, they make poor defenders because they really don't have the skills. The skills to break into systems are very different than the skills needed to defend systems.
- someone adept at stealing or vandalizing cars is unlikely to know how to build or service them
- an arsonist is not likely to know a lot about how to install smoke detectors and sprinklers
- a pedophile is not going to make an excellent childcare specialist
- a policeman doesn't need to practice shoplifting and rape to investigate those crimes
It is much the same with information security. A good specialist knows systems design, software engineering, network protocols, psychology, management, law, forensics, cryptography, and a bunch of other things. Those are not skills learned by breaking into systems."
In the final analysis, gray hat and black hat are both breaking the law. They have shown an indifference to society and the laws by which we live. Professionals cannot continue to vilify computer criminals publicly on one hand and then hire them into their companies to secure the systems they have broken into.
For more information on the Interpol European Working Group on Information Technology Crime see www.interpol.int/public/technologycrime.