Expert: Hackers will be the “immune systems of the internet” Credit: Image credit: Alexandre Dulaunoy via Flickr
Security

Expert: Hackers will be the “immune systems of the internet”

“If I were to make an educated guess, I would say that the motivation was hacktivism and the intent was data theft and humiliation. Consider the personalised messages taunting CEO  Noel Biderman. It implies that this was something quite   personal. I suspect that this hack has more to do with intimidating, embarrassing, and punishing the leaders of the organisation, and by proxy, the customers,” says Dr. Timothy C.  Summers, CEO of Summers & Company, LLC in the US and a leading expert on hacker cognitive psychology.

img-8953Summers is talking about the Ashley Madison hack, a data breach that has had far wider ramifications than data theft. Two users of the site have reportedly committed suicide, targets have been collected for blackmail, and millions of families have been affected.  A group calling itself the “Impact Team” has claimed responsibility for the hack by pointing the moral finger at the users on the site. But in order to breach something on such a massive scale, hacking involves special abilities that go far beyond possessing simple technical skills.

“The compulsion to hack is fuelled by high levels of curiosity and exploration. Hackers [are natural] with technology which [helps] their exploratory nature. Of course, motivation and intent [are factors too],” Summers tells me.

Summers knows what he’s talking about as a self-professed hacker himself. He tells me he started programming when he was 11 and soon after that began hacking phone systems.  Hackers are normally put into two categories, the “white hat hackers” being the good guys and the “black hat hackers” as the bad guys.

Would Summers describe himself as a “white hat” hacker?

“I believe that most hackers have been on both sides of the white hat/black hat continuum, which is one of the reasons that I try to refrain from using it. But if you are asking about my intentions, they are good. I believe that adequate information security is important for everyone.”

His phrasing of “compulsion to hack” is interesting as it suggests an urge that cannot be controlled. In fact, Summers has said in the past that “in most cases, being a hacker is something that one chooses, but it also chooses the person”. I ask him what he means by this.

“In essence, there are aspects of being a skilled hacker that are chosen for us, by birth right, but some of the behaviours and knowledge that are key to hacking can be learned. From this perspective, it can be said that the individual chooses to be a hacker, but from a cognitive perspective, we are naturally predisposed as well.”

Summers has been studying the hacker mindset for years and currently advises companies, academic institutions and governments on the cognitive psychology of hackers. He co-wrote a dissertation studying hackers and their mental models.

In his research he found that hackers possess exceptional cognitive abilities which enables them to make sense of complex systems. They can recognise “system patterns”, learn how a system “functions on the fly” and find various ways to “exploit that system”.

When Summers was researching the hackers mind, what sorts of things did he discover that were the most interesting or puzzling?

“One thing that I found substantially interesting was that, based on the data, the hackers that attend conferences scored lower in terms of expertise than those that did not. But I want to be careful with this statement. It does not mean that hackers that attend conferences are not experts or vice versa. [It implies] that those hackers are more receptive to hearing the opinions and expertise of others.”

So if hackers are shown to be receptive and curious about the ideas of others, surely this flies in the face of the stereotypical “loner hacker”? Sarah Gordon, an expert on the psychology of hackers holds the view that hackers aren’t necessarily smart or “loners” – they just “don't extend the same moral code from the real world to the virtual world”.

Summers agrees that there is a misconception about hackers being inapproachable or socially awkward. He says he has met hackers in many “different flavours” - and the fact that people tend to think hackers work alone couldn’t be further from the truth.

“In general, hackers usually explore problems through group brainstorming. It enables them to take advantage of multiple perspectives in search for the most optimal result. Hackers like being around those that are like-minded. They like being in places where other technically-inclined individuals will be. Hacker conferences such as DEFCON, ShmooCon, and DerbyCon are a great examples of this".

It has not been an easy ride though for Summers. His previous employer was not supportive of his research and issued a cease and desist – as a result he almost lost his day job.

“I went as far as I could without losing an organ or getting into legal trouble to find research participants, and of course, many hackers were reluctant to talk with me and had substantial security requirements”.

Summers says that people didn’t quite understand the goals of his research either and he got into many debates with them. But once he got them on his side, there was a mutual interest.

As the Ashley Madison breach has recently shown, as well as other high profile breaches involving Sony, Fiat Chrysler, and JP Morgan Chase, companies are more vulnerable than ever. Summers believes that as technology advances, it will become more accepted to see hackers as the “immune systems” of the internet.

“Companies are always anxious to deploy new, incomplete technologies. Each time this happens, there are always hackers that reveal the exposure points. I believe that this will open the door for companies to become more comfortable to embrace utilising hackers for product testing.”

Jihadist militant group ISIS have become notorious for exploiting social media to further their propaganda. The danger is always present that the group will sooner or later enter the hacking space.

Does Summers see them as a danger?

 “ISIS is not a nation state but has substantial financial resources and technical capabilities. In fact, with their financial advantage, they can rapidly and easily increase and enhance their hacking capabilities or just outsource to other like-minded hackers. In my opinion, this makes them quite dangerous in the hacking space, especially in relation to established nation-states.”

Has the hacker ethic changed in recent years as technology has developed?

“Yes. It seems that we are more readily willing to integrate technology into even the most personal parts of our lives; thereby, exposing ourselves to the issues inherent on the internet. The Ashley Madison breach is a perfect example of this.”

“There seems to be an interesting ethical debate on both sides. Some people feel like customers deserve to be exposed and other feel sorry for their humiliation. At the end of the day, our trust in the company and the technology that it employs has put many people in an unfortunate situation. As we become more reliant on technology and willing to insert it into our personal lives, we will see more of these situations,” adds Summers.

With businesses still reverberating from the Ashley Madison hack, what would Summers advise these companies to do, to protect themselves from being a cyber-attack victim?

Summers warns that businesses should get rid of the assumption that no one will find out about the imperfections of their products or their indiscretions. He thinks that you should always run with the assumption that someone out there can and will find out.

“Identify a cyber-strategy partner to assist you every step of the way. Someone who will constantly work with you to hack yourself before others have the chance. Someone who is thinking about your risk exposure, from a cyber-perspective, while you are trying to pursue profitability.”

“Prepare for your data to be stolen and your systems to be compromised but be strategically prepared to substantially minimise the risks and impact,” Summers concludes.

PREVIOUS ARTICLE

«Data analytics can make the CMO go-go

NEXT ARTICLE

Typical 24: Wolf Kolb, iCracked»
author_image
Ayesha Salim

Ayesha Salim is Staff Writer at IDG Connect

  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Is your organization fully GDPR compliant?