Article in Defence IQ: the intoxication of the ‘Art of the Hack’
Our Director, Alicia Kearns, unearths the motivations of hackers and highlights how their skills could be harnessed, for Defence IQ.
Information Operations seek to master the enemy’s operating space; to limit their ability to act, move and communicate. On the internet, hackers hold a wealth of expertise and experience – yet we have failed to lever them effectively.
With this in mind, what are the key motivations for hackers to work with us in the interests of national security?
Hackers’ motivations can vary significantly. However, there are some common drivers: the risk / reward balance that can be found at hackers’ own fingertips, and the intoxicating power behind ‘the art of the hack’.
Rather than breaking down the motivations for individual hackers, it’s helpful to look at the underlying motivations that are present across all hackers. At this point, we’ll put aside malign state-sponsored hackers, as their motivations differ entirely from the ‘average hacker’.
First, let’s look at the risk / reward balance. A hacker can create and adopt a virtual persona for themselves online, which is a considerable draw as it gives them the opportunity to create a notion of oneself that can be completely alien to the individual’s real-world identity. Through social media, the online community, and the inherent infamy of hacks, individuals can create a more desirable and alternative projection of self. One with great social currency within this subculture.
The online community rewards risk-taking behaviour. However, hacking allows individuals to perceive themselves as minimising the potential risks of their activity for themselves. Hackers, whether they are hacktivists, black hat hackers, or any other form, perceive life as dull – yet through hacking they can seek adventure while securing social status, in a way that suits them.
Now, let’s look at the hackers’ desire to author change. The power and ‘art of the hack’ cannot be underestimated. The vast majority of hackers are motivated by their ability to effect change. Hacking requires single-mindedness, determination, and of course, hacking capability. However, there are some hackers that are motivated by violence and perceptions of infamy for themselves. For instance, those acting in support of Daesh and other violent extremist groups – attacking websites and posting images of dead ‘Westerners’ as a way of threatening further attacks. This absolutely sits within the psychology of someone seeking revenge and infamy. In the Daesh online community of ‘fan boys’, those perpetrating the hacks will be celebrated – and potentially featured in Daesh propaganda.
As mentioned earlier though, this is not the case for the majority of hackers. Instead, they are motivated by their ability to effect change in some way. For example, we’ve seen hackers attack Daesh on open-source platforms and the dark web. This action is broadly welcomed, as it limits Daesh’s ability to communicate, and it prevents individuals from being able to view and share Daesh propaganda. It can also be seen as an attempt to show that Daesh’s propaganda, internet and hacking abilities – despite being praised by the media – are actually still substandard to that of their own group’s.
But, why do hackers do what they do?
Simply put: ownership of action and immediacy of impact. Carrying out an action which you control, and seeing an immediate and (often significant) impact from it, is something which many hackers may feel is absent from their lives – an ability to influence the world and effect change.
There is an additional aspect to hacking that is enjoyed and appreciated; the race / gamer aspect. You may be racing against time or inbuilt protections to achieve your hack. Beating security systems can in itself be an objective. There is an intellectual element to all of this, as it can take days, or weeks, to deliver a truly talented hack.
So, how can information operators and counter violent extremism interventions best lever hackers’ expertise?
We need to understand that operating in this space can be as alien to those with decades of CVE experience as it would be for anyone thrown into the Death Star without an instruction manual. As a country, our national defence will increasingly be measured by our ability to identify, prevent and protect our national infrastructure and institutions from cyber terrorism. It is a fact that other countries are investing heavily in their cyber capabilities (both offensive and defensive). In order to keep our economy and national security safe, we must be able to compete.
For example, Estonia’s government has invested heavily in cyber with its Cyber Defence League and Information Technology College, having launched a cyber curriculum in 2015. These institutions have helped Estonia to become a European leader in cyber infrastructure.
And when cyber terrorism gets to the point where one nation can affect the democratic processes of another (as seen with allegations of Russia’s significant interference in the US Presidential election), we have to ask whether, in defending democracy, cyber defences are just as important as kinetic activity. I believe they are. It is essential that Britain invests in cyber. And by investing in cyber capabilities during school, we can capture cyber actors early – drawing their skills and attraction to cyber into a role that will realise their potential in a way that benefits the state. This would also open up a new avenue for further education and employment – which would be good for the British economy.
In CVE, we have no excuses. We must be ahead of the game, working in partnership with hacktivists to protect our national interests, and to deliver strategic effect. In June of this year, a conference will be held in London to discuss these very issues: Countering Violent Extremism; open source intelligence, social media and strategic communications. A much-needed platform for everyone in the Information Operations and CVE fields to collaborate and to make a plan going forward.
We have an opportunity to make the most of cyber – let’s make sure we don’t fall behind, for the sake of democracy.