What popular culture gets wrong about hacking [Q&A]
It’s safe to say that Hollywood and pop culture haven’t always been kind to the tech and cybersecurity industry.
Over the years, movies and TV shows have established a stereotype of what IT and security professionals should look like, with one of the biggest stereotypes being the representation of a hacker.
The scene always starts the same way: a young individual, working from a basement, wearing a black hoodie and surrounded by multiple monitors, hits his — they’re always male — keyboard and hacks into the CIA, FBI or a government database within minutes. This has been the most common portrayal of a hacker in almost every movie, TV series or video game.
Because of this stereotype, hacking has been understood as a very negative and strictly illegal practice. However, the reality is that hacking is just a technical and analytical skill. Just like most other skills, hacking can be used to serve both good and bad purposes. In the security industry, it is common to use the term “attacker” to define individuals or hackers with criminal intent.
We spoke to Tom Van de Wiele, Principal Threat and Technology Scientist at WithSecure, and an ethical hacker for nearly two decades, to find out why it’s time we move past these stereotypes.
BN: What is wrong with popular perception about the hacker mindset?
TVW: When talking about the portrayal of hackers in popular culture, it’s important to understand where the stereotypes come from. Often such characters are not properly explored or explained in a film, rather their actions get the most focus. What are they hacking into and why? Such depictions make their jobs look easy.
In reality, hacking is quite a challenging skill to achieve. It requires considerable knowledge, experience and preparation, whether for a criminal or ethical campaign. Hacking is far more than being technically sound or knowing how to code. You must show a curious, passionate and often obsessive interest in how systems and networks work. We refer to this as the ‘hacker mindset’.
We are supposed to know the nuts and bolts of a system because that is usually where the cracks lie. This level of knowledge and experience does not happen overnight and barely scratches the surface with a university degree. It requires a demonstration of legitimate passion and hundreds of hours dedicated to learning the core mechanisms of various systems. Some use this passion and knowledge to protect the system, while others unfortunately use it to attack.
On top of that, hackers must constantly update their knowledge, keep learning as IT and security infrastructures evolve rapidly. With new systems, architectures, applications and frameworks being innovated frequently, hackers cannot afford to acquire knowledge and sit on it. Our skills would become redundant very quickly without continuous practice and learning. These are the things you won’t be shown in a Hollywood movie or TV series.
BN: How are attackers and cybercriminals misrepresented?
TVW: The hackers we see in movies are always portrayed as attackers and criminals. Ethical hackers unfortunately have little or no representation in popular culture. When you’re used to seeing the downsides of hacking, it becomes difficult to establish this as a resourceful and valuable skill across the board.
Even the representation of an attacker is often completely wrong in popular culture. Attackers are always shown as individuals working in isolation from a dark room with their own specific agendas, while they usually have teams, managers and budgets. They don’t just pick a target and start stealing data. They launch large-scale campaigns, conduct extensive research to identify potential targets, try different attack methods, and actively engage in dark web forums. In fact, attackers often work as part of a criminal gang or malicious organization.
There are large communities of attackers in the cyber world. They share resources among themselves, manage dedicated marketplaces for illegal resources, and continuously optimize their skills. This is why attack methods are always getting better and cheaper.
So most attackers do not operate in isolation. They have a large arsenal of knowledge, resources and skills — which they use to serve their criminal intentions. That is why we cannot depict anything typically abstract of a hacker or attacker. It could be anyone from an Oxford graduate to a self-taught teenager, working from a small laptop or from a state-of-the-art operations centre.
BN: What does it mean to be an ethical hacker?
TVW: Unfortunately, outside of the cybersecurity industry, there isn’t enough conversation about ethical hackers. People often don’t understand that hacking as a skill is meant to be used to understand and identify the vulnerabilities of a system, rather than causing damage and stealing assets.
So, what are the responsibilities of an ethical hacker? They tend to walk the thin line between attacking and protecting a system. They must maintain a conscious awareness of what is legally and ethically acceptable at all times. Their responsibility is to know the status of a system, identify the vulnerabilities and advise the organizational leaders, while ensuring that system operations and services are not disrupted.
On a practical level, the core task of an ethical hacker is threat modeling. This includes analyzing the system, identifying potential risks, points of disruption and mapping the potential attack surface. Basically, we identify how well an organization’s IT infrastructure is prepared to handle potential cyber attacks.
In addition to the technical aspects, there is a significant analytical side to our role. Ethical hackers often need to test the effectiveness of an organization’s defenses and gauge its competence against competitors. Using threat modeling, we try to predict what an attacker might do, and use this intelligence to prepare enterprise defenses accordingly.
It is important to understand that while an attack may be random, attackers do not always enter blindly. If they see that your security infrastructure is concrete, meaning that it will take a lot of resources and customization to break, they are most likely to skip you if you are dealing with an organized crime group looking to make a certain profit amount of money per attack campaign. This is the exact goal that an ethical hacker tries to achieve. While we cannot make a system impenetrable, as there will always be vulnerabilities, we strive to identify the cracks and eliminate the likely avenues of attack to hopefully reduce the likelihood of a breach.
BN: What qualities make a good ethical hacker?
TVW: Being an ethical hacker is an intense job because there’s a lot at stake. So you cannot enter this line without considerable passion. If you have that interest and can work accordingly to gain the necessary knowledge, there is a lot of fun in ethical hacking.
In conclusion, I cannot say that ethical hackers are the limited heroes of the digital world, but we play a crucial role in ensuring that an IT roadmap for the organization is created in an informed way and knows what the risks are.
Image credit: adike/Shutterstock