DAV EY WINDER
It’s time to reset our cyberattack vocabulary, says Davey Winder, as he explains why hacking is not a crime
The time has come to reset our cyberattack vocabulary, argues Davey, as he explains why hacking is not a crime.
If you’ve ever attended an infosec or cybersecurity event, you will no doubt have noticed the preponderance of “Hacking is NOT a Crime” stickers. In 2018, some 500 such stickers were handed out at the DEF CON 26 event, the following year 5,000 were distributed. Who knows how many real and virtual stickers will be handed out at this year’s event, which is going hybrid due to Covid.
Yes, you did read that right: Hacking is NOT a Crime ( hackingisnotacrime.org) isn’t just a sticker or meme, it’s a non-profit organisation on a mission to advocate global policy reform to both recognise and protect hacker rights. And yes, you did read that right as well.
If you’re thinking, “why should any organisation be arguing that people behind ransomware, data breaches and cybercrime are deserving of safeguarding” then, sorry, but you’re part of the problem. You have been conned by the cultural references, misled by the media narrative ( mea culpa, by the way) and, therefore, only see hackers through the lens of a negative stereotype. This isn’t just a stickerselling exercise – there’s more to it than paying lip-service to a cause. There are real-world consequences of the negative association with some hackers unwilling to disclose, at least publicly, the vulnerabilities they find for fear of legal consequence.
Semantics matter
I’ll stick to home territory for the purposes of this column. The Crown Prosecution Service (CPS) in the UK defines hacking as being “the unauthorised use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access”.
In truth, the establishment of bug bounty programs and vulnerability discovery platforms has meant that hacking often embraces the “authorised use of or access into” – but not all the time. Vulnerability after vulnerability has been uncovered by hackers without such authorisation, but does that make them bad people? Hell no, quite the opposite. The world would be a much more dangerous place – from the perspective of privacy, fraud and crime –were it not for these hacking heroes, be they using an officially authorised platform or going it alone.
I agree with the CPS definition where it states that “criminals may hack systems or networks to steal money or information, or simply to disrupt businesses”. This gets closer to where we should be regarding terminology: criminals can hack things, but hackers are not criminals.
The Computer Misuse Act (CMA) itself doesn’t define what a computer is (which is an acknowledgment that technology changes rapidly), but the CPS guidance ( cps.gov.uk/legalguidance/computer-misuse-act) when referring to criminal intent ( mens rea) continues to frame hackers with a negative narrative.
The two elements of criminal intent under the CMA being: knowledge that intended access was unauthorised and an intention to secure access to a program or data held in a computer.
“Section 1(2) explains that the intent of the accused need not be directed at any particular program or data, so as to include the hacker who accesses a computer without any clear idea of what he will find there,” the CPS guidance states. Quite apart from the gender issues here, this amplifies the negative hacking narrative.
So what should a cybercriminal be called? (The clue is in the question)
Okay, by now I’m sure there are plenty of readers recalling that I’ve written lots of articles across my thirty years in print and online that refer to hackers in a criminal context. Am I guilty of using hacker in a headline when cybercriminal would have been more appropriate? Sure, hands up, I’ve done that in the past. I haven’t set out to engage in a pejorative narrative, though. Like many people in the media, and even in the cybersecurity industry, I didn’t know any better. Most of the time my use of the word in a headline is positive now. Indeed, having just checked my Authory page I find plenty of recent results from a search on hacker or hackers return stories about bug bounty platforms, security researchers, vulnerabilities and so on.
But that’s not always been the case and I need to do better, I need to strive to be better. By which I don’t mean using differentiators such as the cowboy movie white hats, black hats and grey hats, either. While those served a purpose some years ago to try and separate the good from the bad and the hard to pigeonhole legally, that time has long since passed. As, I would venture, has using “cracker” to describe those engaged in criminal acts of hacking. It’s far better, surely, just to come to terms with the fact that hacking isn’t a crime and hackers aren’t criminals. Period.
So, what should the media and business itself be using instead of hacker? After all, with ransomware on the rise, no sign of data breaches exiting stage left and cybercrime increasingly featuring on the global security agenda, there has to be nomenclature that’s accurate, descriptive, easily understood and
“The world would be a much more dangerous place were it not for these hacking heroes”
not harmful. Luckily, there is. Someone who undertakes a ransomware attack isn’t a hacker, they’re an attacker or, if you prefer, a cybercriminal. It’s really not that difficult to get your head around when you start thinking about it. We don’t call someone who has broken into your house by picking the lock of the front door and stolen your TV and laptop a lock-picker, we rightly call them a burglar or a thief. Why should it be so different in an online, an information security or “cyber” context?
I first got into writing about bulletin boards, online “comms” tech, the internet and ultimately specialising in cybersecurity by being a hacker 30-odd years ago. I did what I did back then for much the same reasons I do now: I hacked because I wanted to learn about and explore the emerging online world. I write because I want to learn more about newly emerging technologies and, hopefully, explain them in an enthusiastic and accessible way.
That’s not so different to the hackers of today, as Luke Tucker, vice president of community at bug bounty and hacker-powered vulnerability discovery platform HackerOne told me. “Often, when we see the term hacker it is associated with illegal acts and perhaps not surprisingly, much of the world’s attention has been focused on the negative behaviour of illegal hacking. However, we have been challenging this notion and see hackers as a form of doing good.
“Hacking just means to find a solution to a problem, and we already have a term for those doing this illegally – a cybercriminal. Our recent 2021 hacker report looked into the motivations of the community with 85% admitting they hack to learn, 76% to make money and 65% or so to have fun. We are starting to see attitudes towards hackers evolve with every passing year and more and more hackers are being recognised as a force for good.”
Game over?
Earlier in the summer, it was reported that Electronic Arts (EA) had suffered a data breach at the hands of cybercriminals. It didn’t take long for the cybercriminals to start posting congratulatory messages on inviteonly criminal forums. They listed source code and tools related to the Frostbite engine behind a host of games such as Battlefield. EA later confirmed the “network intrusion” and admitted some game source code was stolen. Am I surprised? Yes and no.
Yes, because EA is well-respected in the infosecurity community as having a strong security culture and team. And no, because the games industry is hugely profitable and therefore a primary target, but also because the oft-repeated adage applies: cybersecurity defenders need to get it right all of the time, while attackers need to get it right once.
The upside of this particular breach is that it doesn’t appear any personal or financial player data was accessed. Nor does it appear to have been ransomware actors behind the attack, instead the data was seemingly immediately put up for auction to the highest bidder.
Here’s the thing, though: gamers and the gaming industry itself don’t just have to be fearful of a singular threat. In that regard they’re no different than any other sector. In this case, it was a network breach with data exfiltration, but it could easily have been ransomware or a distributed denial of service (DDoS) extortion threat.
Indeed, according to Akamai research, the video game industry is increasingly under attack, – more so than other industries during the pandemic last year. That research found the gaming industry had been inflicted with some 240 million web application attacks across 2020, up by 340% on the previous year. Oh, and some 11 billion credential stuffing attacks for not so good measure. Mobile gaming, or at least those with an in-app purchasing element, are also subject to what Akamai calls “a consistent barrage of attacks.”
Again, that’s no surprise to me because I’ve written about the trade in stolen gamer accounts driven by in-game items owned such as skins and special weapons, before.
Steve Ragan, an Akamai security researcher who authored the report, wrote: “We’re observing a remarkable persistence in video game industry defences being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose
information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.”
Perhaps the most bizarre, and certainly highly unusual, gamingrelated threat was discovered by Sophos Security Labs researchers. This was no password-stealing thing, no ransomware attack, it was what you might call, and Sophos did call, vigilante malware.
The malware itself came disguised as cracked versions of online games, including Minecraft and Among Us (Microsoft Office was also used, which can almost be thought of as a survival game, I guess), which used a modified HOSTS file to prevent access to pirate software sites. Oh the irony, huh? Sure, a HOSTS file modification isn’t exactly a new way of doing things, quite the opposite, nor is it complex. But you know what, it works and can cause much scratching of heads for even those who consider themselves technically savvy.
It seems that the malware in question was able, in most but not all cases, to elevate Windows privileges to admin in order to edit the HOSTS file. However, as Andrew Brandt, principal threat researcher at Sophos, explained, while sometimes it’s straightforward to see the threat actors’ end game, this wasn’t one of those times. “On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation.
“However, the attacker’s vast potential target audience – from gamers to business professionals – combined with the curious mix of dated and new tools, techniques and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky. There might not even be an overall purpose to this attack at all. But that doesn’t reduce the level of risk or the potential disruption for victims.”