What popular culture gets wrong about hacking [Q&A]
It's safe to say that Hollywood and pop culture have not always been kind to the tech and cybersecurity industry.
Throughout the years, movies and TV shows have established a stereotype of how IT and security experts should look, with one of the biggest stereotypes being the representation of a hacker.
The scene always starts in the same way: a young individual, working from a basement, wearing a black hoodie and surrounded by several screens, bashing away at his -- they are always male -- keyboard and hacking into the CIA, the FBI or a government database within minutes. This has remained the most common portrayal of a hacker in almost every movie, TV show or video game.
Because of this stereotype, hacking has become understood as a very negative and strictly illegal practice. The reality, however, is that hacking is merely a technical and analytical skill. Just like most other skills, hacking can be used to serve both good and bad intent. In the security industry, it's common to use the term 'attacker' to define individuals or hackers with criminal intentions.
We spoke to Tom Van de Wiele, principal threats and technology researcher at WithSecure, and an an ethical hacker for almost two decades, to find out why it's time we moved past these stereotypes.
BN: What does popular perception get wrong about the hacker mindset?
TVW: When talking about the portrayal of hackers in popular culture, it's important to understand where the stereotypes come from. Often, such characters are not properly explored or explained in a movie, rather their actions get the most focus. What are they hacking into and why? Such depictions make their jobs look easy.
In reality, hacking is a rather challenging skill to achieve. It requires significant knowledge, experience and preparation, whether it be for a criminal or ethical campaign. Hacking is far more than being technically sound or knowing how to code. One must demonstrate an inquisitive, passionate, and often obsessive interest in how systems and networks work. We refer to this as the 'hacker mindset'.
We are meant to know the nuts and bolts of a system because that’s usually where the cracks lie. This level of knowledge and experience does not happen overnight and barely scratches the surface with a university degree. It takes a demonstration of legitimate passion and hundreds of hours dedicated to learning the core mechanisms of different systems. Some use this passion and knowledge to protect the system while, unfortunately, others use it to attack.
On top of that, hackers must perpetually refresh their knowledge, continuing their learning as IT and security infrastructures evolve rapidly. With new systems, architectures, applications and frameworks being innovated frequently, hackers can't afford to attain a piece of knowledge and just sit on it. Our skills would become redundant very quickly without continuous practice and learning. These are the things you’re not shown in a Hollywood movie or TV show.
BN: How are attackers and cybercriminals misrepresented?
TVW: The hackers we see in movies are always portrayed as attackers and criminals. Ethical hackers unfortunately have little to no representation in popular culture. When you're accustomed to seeing the negative aspects of hacking, it becomes difficult to establish this as a resourceful and valuable skill across the board.
Even the representation of an attacker is often completely wrong in popular culture. Attackers are always shown as individuals working in isolation from a dark room with their own specific agendas, whereas they usually have teams, managers and budgets. They don't just pick a target and start stealing data. They launch large-scale campaigns, conduct extensive research on identifying potential targets, trial different attack methods and actively engage in dark web forums. In fact, attackers often work as a part of a criminal gang or malicious organization.
There are large communities of attackers in the cyber world. They share resources between themselves, manage dedicated marketplaces for illicit resources and continuously optimize their skills. This is why attack methods always become better and cheaper.
So, most attackers don't operate in isolation. They have a large arsenal of knowledge, resources and skills -- which they use to serve their criminal intentions. That’s why we can't portray any typical abstract of a hacker or attacker. It can be anyone from an Oxford graduate to a self-trained teenager, working from a small laptop or from a high-end operations center.
BN: What does it mean to be an ethical hacker?
TVW: Unfortunately, outside of the cybersecurity industry, there's not enough conversation about ethical hackers. People often don't understand that hacking as a skill is meant to be used for understanding and identifying the vulnerabilities of a system, rather than causing damage and stealing assets.
So, what are the responsibilities of an ethical hacker? They tend to walk the thin line between attacking and protecting a system. They have to maintain a conscious awareness of what's legally and ethically acceptable at all times. Their responsibility is to know the state of a system, identify the vulnerabilities and provide counsel to the organizational leaders, all while ensuring that system operations and services are not disrupted.
On a practical level, the core task of an ethical hacker is threat modeling. This includes analyzing the system, identifying potential risks, points of disruptions and mapping out the potential attack surface. Basically, we are identifying how well an organization's IT infrastructure is prepared to handle potential cyber attacks.
In addition to the technical aspects, there is a significant analytical side to our role. Ethical hackers often have to test the efficiency of an organization's defenses and measure its competency against competitors. Using threat modeling, we try to anticipate what an attacker might do, and use that intelligence to prepare enterprise defenses accordingly.
It's important to understand that while an attack might be random, attackers don't always come in blindly. If they see that your security infrastructure is concrete, meaning it will take a lot of resources and customization to breach, they are most likely to skip you if you are dealing with an organized crime group that is out to make a certain amount of money per attack campaign. This is the exact goal that an ethical hacker tries to accomplish. While we can't make a system impenetrable, since there will always be vulnerabilities, we strive to identify the cracks and eliminate the probable attack paths to hopefully reduce the likelihood of a breach.
BN: What qualities make for a good ethical hacker?
TVW: Being an ethical hacker is an intense job because there is a lot at stake. So, you can't get into this line of work without significant passion. If you have that interest and can work accordingly to achieve the required knowledge, there is a lot of fun in ethical hacking.
In conclusion, I can't say that ethical hackers are the capped heroes of the digital world, but we do play a critical role in ensuring that an organizations IT road map is created in an informed manner knowing what the risks are.
Photo Credit: adike/Shutterstock