Heroes versus outcasts. Experts, the media and the public have long viewed members of the “hacker” community as belonging to one or other of these two opposing camps, thereby helping to cement clichéd images of them. But how can this polarisation be explained? And in terms of security, isn't it in companies’ interests to work with these specialists?
“Being a hacker primarily means being able to re-purpose objects or systems to create new functions. Somebody who can use a kettle to light a barbecue is a hacker” says Paul Fariello, a member of the Security Intelligence team at Stormshield. The hacker community is mainly made up of IT and security enthusiasts with the ability to invent creative solutions to challenges, even if they sometimes end up being illegal. For cybersecurity specialists, these skills are particularly prized and the term hacker has a generally positive connotation. So why does the word conjure up imaginary worlds populated by malevolent, hooded pirates, especially amongst people working in other trades?
Culture of anonymity vs media limelight
Hackers are often perceived as a shadowy, secretive or even marginal grouping, which certainly helps to fuel wild rumours about them. “There is a proper community, with its get-togethers (like DefCon, held in Las Vegas, or Hack in Paris) and its gurus. But these people are rarely known outside circles of insiders, because their reputations are based on recognition of technical skills which only other members can assess”, says Fabrice Epelboin, entrepreneur and teacher at Sciences Po University. Yet some of their names will be very familiar with the public: Kevin Mitnick, nicknamed “The Condor”, was the first hacker to feature on the FBI's Ten Most Wanted Fugitives list. More recently, the stories of Julian Assange and Edward Snowden have made large waves in the media and in politics.
But, “hacker culture is not about egos or ultra-individualism. Some large cyber-activist groups, like Telecomix [which was very active during the Arab Spring revolutions, helping Syrian and Egyptian people to bypass internet censorship – editor's note], had a completely decentralised, non-hierarchical structure. The same is true of the Anonymous: the individual melts into the group and they strive to achieve a critical mass”, he adds. In many cases, the anonymity they seek can lead to and help to fuel negative stereotypes about cyber-activist collectives. “It’s a bit like if, when talking politics, you always talked about misuse of company assets. With the hacker community, people tend to focus only on the computer hacker side of things”, says Fabrice Epelboin. This restrictive view has permeated everything from pop culture (in TV series like Mr Robot) to online image banks, where it is hard, often impossible, to find a picture of a hacker that is not an anonymous figure in a black hoodie.
shutterstock might not know what hackers actually use to hack, but they definitely know they wear grey hoodies to do it pic.twitter.com/JfdX68IPIh
— ℤombië ℚueen (@UnburntWitch) 26 février 2017
However, a whole range of hacker profiles exists. People talk alternately of black hats – cybercriminals attracted by bank fraud – and white hats – hackers who promote ethics and see themselves as cyber-activists rather than cybercriminals. Some choose to plot a path between these two opposing camps, and are known as grey hats. Microsoft has invented its own expression: it uses the term blue hats to refer to cybersecurity experts tasked with repairing vulnerabilities in security systems. It can often prove very hard to distinguish between them. The relationships that these individuals build with the authorities or States then come into play when determining where the various profiles sit on the “security experts” scale.
With the hacker community, people tend to focus only on the computer hacker side of things.Fabrice Epelboin, teacher at Sciences Po University
Ambivalent relationships with the authorities
Some hackers are of course pursued by the legal system, and cast as criminals. Others are approached to destabilise political forces, thereby becoming pawns in a geopolitical struggle (the current climate of the cold cyber war between the US and Russia is a good illustration of this dynamic). But others do not regard themselves as criminals at all, preferring the cyber-activist or hacktivist tag. For example, the German hacker community has forged a fairly friendly relationship with their government. The country even offers them the status of “consultants” in some instances. “In Germany, hackers are an accepted fixture of the political landscape” points out Fabrice Epelboin. “The Chaos Computer Club, a long-standing grouping, really does operate in a consultative capacity, and collaborates with the government regularly. I remember one particular episode when, to demonstrate the absurdity of the Merkel government's proposed use of biometric security systems, members of the CCC provided a detailed report, even going so far as to clone the fingerprint of the German minister of the interior”.
In Germany, hackers are an accepted fixture of the political landscape.Fabrice Epelboin
So, in order to influence public debate, hackers will cross red lines, and sometimes operate in areas of illegality. This is perhaps one of the reasons why, in France, relationships between the hacker community and the authorities are much more tentative, and even wary. “In France, the community was very quickly infiltrated by the intelligence services”, he adds. “So relations became tense. French hackers emigrated or moved into the freeware community.” For example, Olivier Laurelli, a.k.a Bluetouff, a well-known figure in the French hacker community and founder of the website reflets.info, fell foul of the French legal system. In 2014 he was found guilty of computer hacking and data theft in a case that pitted him against the national agency for food, environmental and workplace safety (ANSES). His crime? Downloading confidential ANSES documents via his search engine and posting them on his site. According to Fabrice Epelboin, this case illustrates the tension between the hacktivist community and the French authorities.
Is this community becoming normalised?
But times might just be changing. Companies are realising that it is very much in their interests to work with these security experts, even if it means turning a blind eye to their often unconventional methods. With his company Yogosha, Fabrice Epelboin was partly responsible for importing into France the “bug bounty” culture, whereby companies team up with hackers so that the latter can search for flaws in their information systems, and are remunerated. This gives him a front-row seat to watch the change in mindsets and the relaxation in relations between hackers and businesses. “The paradigm is shifting gradually”, confirms Paul Fariello. Companies, increasingly keen to address the flaws in their systems to improve their defences, no longer have any qualms about calling on the services of hackers. But few are prepared to communicate these arrangements. The Yogosha website says that it has worked with big names like Bouygues Telecom, and the insurance company April. Firms like Société Générale, Qwant and Hewlett-Packard have said publicly that they use bug bounty strategies. But it is still hard to find public statements or figures on this subject.
.@HP and @Bugcrowd teamed up for the ultimate #IoT #bugbounty, with a potential $10,000 #reward read more here; https://t.co/LCjLUgPkOO#CyberSecurity #InfoSec pic.twitter.com/SQuSi77LHA
— SecureSense (@securesense) 14 août 2018
The big-name cybercriminals of yesterday, such as Kevin Mitnick and Brett Johnson, are now working with companies as security consultants. But whistleblowers like Julian Assange and Edward Snowden are still regarded as criminals, or even national traitors (as Snowden is in the USA). Which just goes to show that the process of normalisation some people want to see is not yet complete, and that hackers will remain controversial figures for some time yet.