Most Hackers Aren’t Criminals
By Charles Henderson
When asked what his father did for a living, my son explained to his kindergarten teacher that “he steals things, but it’s O.K. because he gets paid to do it.”
He wasn’t wrong.
I’m a hacker, and I run a team of hackers. We spend our days discovering ways to break into anything that can connect to the internet – servers, automated teller machines, light bulbs – in an attempt to access information that was never meant to be seen. If we get to it before a criminal does, then we’ve done our job.
I’m proud of what I do for a living, just like doctors or lawyers are proud of the work they do. The Texas Department of Motor Vehicles, however, recently took a critical stance on my profession. When I purchased vanity plates1 for my car, the agency was quick to take them away, claiming that a license plate displaying “HACKING” endorsed illegal and criminal activity.
While this reaction really isn’t the fault of the well-intentioned municipal employee who took away my license plates, it’s a symptom of how a deeply rooted misrepresentation of my profession has created flawed perceptions and stereotypes.
The way that hackers are depicted in Hollywood and by the security industry itself has contributed to the word “hacker” becoming synonymous with “criminal.” Hackers are often portrayed as hooded figures in dark rooms who are engaged in illegal activity while jabbing at keyboards and are almost always male. In recent years, television shows like “Mr. Robot” and movies like “Ocean’s 8” have introduced female characters as hackers, but the male hacker stereotype unfortunately prevails.
The stereotypes don’t apply to most hackers in the security profession. Hackers aren’t social pariahs2 who operate in silos3 and work alone. I have been a hacker for over 30 years, and I do not wear hoodies. Some hackers even choose to suit up for the job. And – spoiler alert – women hack too. Offensive security culture is innately inclusive: This is a business in which companies hire hackers to outsmart them, to find an organization’s breaking point before criminals do. Testing a company’s security and coming up with creative ways to hack into it is something that requires diverse teams and diverse mind-sets.
Back in the 1950s, the modern use of the term “hacking” was coined within the walls of the Massachusetts Institute of Technology. For many years after, a hacker was defined as someone who was an expert at programming and problemsolving with computers, who could stretch the capabilities of what computers and computer programs were originally intended to do.
Hacking is an activity, and what separates any activity from a crime is, very often, permission. People are free to drive, but they do not have permission to drive 150 miles per hour – that’s reckless driving and it’s a criminal offense. Bankers can transfer their clients’ money, but if they do so without permission, that’s embezzlement. And you’ve never heard of someone being arrested simply for being a stockbroker, because no one is charged for choosing a career in finance – but they’d be arrested if they engaged in illegal activity like insider trading.
Thanks to security researchers’ hacking practices, in 2019 vulnerabilities in a new version of the most common Wi-Fi encryption standard (WPA3) were found before criminals could use them to break into home and business networks. Conversely, just the month before criminals found an unknown vulnerability in Google’s Android operating systems before security researchers did, giving the bad guys full control of more than a dozen phone models.
Hacking isn’t an inherently criminal activity. Someone who engages in the illegal use of hacking should not be called a “bad hacker” but a “cybercriminal,” “threat actor” or “cyberattacker.” Hackers
are people like me and my team at IBM – security professionals who are searching for vulnerabilities, hoping to find weak links in our computer systems before criminals can exploit them.
Those who commit computer crimes fall into two categories: “black hat” and “gray hat.” A black hat is someone who hacks with malicious intentions (espionage, data theft), seeking financial or personal gain by exploiting vulnerabilities. A gray hat is someone whose intentions may not be malicious but lacks the permission to hack into a system. Whether a particular criminal is a black hat or a gray hat is simply descriptive of the motivation behind what has already been established as illegal activity.
Somewhere along the way, the security industry also recruited ethics to help justify hacking behavior, giving us “the ethical hacker” and adding an artificial defensiveness to a profession that has existed since the 1950s. Unfortunately, even accredited security certifications use the adjective in their very title. And while we can’t and shouldn’t fault the general public for referring to us as ethical hackers, I ask you this: Does it sound right to introduce someone as an ethical stockbroker? How about an ethical engineer or ethical professor?
Hackers play a critical role in keeping companies and people safe. A hacker failing to do the job right is the equivalent to letting a company believe and function as if it’s wearing a bulletproof vest when in fact, it’s wearing cashmere. At IBM, one thing my team, X-Force Red, does is hack autonomous vehicles, planes and trains to make sure that every possible security vulnerability is found and corrected before each machine is shipped. Imagine what bad things could happen if security weaknesses aren’t identified and corrected before those vehicles are out the door.
黑客在维护公司和个人安全方面发挥着关键作用。黑客未能正确地履行职责等同于让公司以为穿着防弹背心而事实上却穿着羊绒衫。在IBM，我的X-Force Red 团队开展的一项工作是攻击自动无人驾驶汽车、飞机和火车，以便确保每台机器发货之前发现并纠正每一个可能出现的安全漏洞。想象一下如果这些运输工具在出厂前未能发现并纠正安全缺陷会发生什么糟糕的事情吧。
The misrepresentation of the term “hacker” not only undermines the offensive security community but also distorts legislators’ understanding and perception of hackers overall. The Computer Fraud and Abuse Act, for example, relies heavily on the term and its misinterpretation. For society to have open and productive discussions about security research and penetration testing, we need to set the record straight on who and what hackers really are. Many government officials whom I’ve spoken with understand this. Others choose to take my license plate away.
1. 在美国，很多车牌都有7 个字母长，有些甚至还包括一些特殊字符，如破折号或心形符号。有些人选择将这个数字/ 字母组合更改为其他字符，这可能会包含或暗示一个或多个单词。这些车牌需要额外收费，被称为虚荣车牌或个性化车牌。
2. pariah 为社会所遗弃者。