Haiku #9 Hackers? Really?
Firewall, port blocked! Crap!
Search for back door, probe weakness
Found one. Problem solved
Regardless the imagery we superimpose on cyber criminals, at their core they too come to work to solve problems. Unfortunately our understanding of the distinction between hackers and cyber criminals really needs to be more fully developed. Criminals, cyber or otherwise, attempt to impose their will on groups of victims. In the case of cyber criminals, they do this in hopes that their efforts remain undetected as long as possible. Hackers on the other hand are a group of people who, using a remarkably similar set of skills and tools, attempt to point out the flaws in systems for the good of the system and the good of the larger Internet community. The similarity in skills sets often results in a conflation of terms wherein we label cyber criminals “hackers”. Whether we agree or disagree with the terms, it’s interesting to note that by labeling them at all, we’re lending a special categorization to them they do not deserve. By labeling them separately from common criminals, their efforts actually gain an unexpected legitimacy.
Our first effort should be to revisit this de facto granting of legitimacy. Even without the rants of community leaders like Chris Roberts, we really need to be cognizant of the psychosocial impacts our labeling has. Consider this thought when re-assessing whether or not to call cyber criminals any more than common thugs. When US media refers to the Islamic State (in any region or country), they give that organization the legitimacy of being called a state. They elevate those who would attempt to overthrow governments beyond the level of bullies, thugs, thieves and criminals. Their cause becomes noble. When we call cyber criminals “hackers” and ascribe visuals to them that are mysterious or sinister, we give them a similar legitimacy. They’re just criminals. Their skills are new and different, but locks are still locks, people can still be fooled by con men, and prizes are still tantalizing even if the venues have migrated from brick and mortar banks and businesses to virtual data stores.
Those same criminals have not changed the basic task. They’re still looking for “marks”; we people or organizations who goods or services can be commandeered for the criminal profit of people would rather break laws than abide by them. In military terms, what they’re doing is looking for a Center of gravity (a military term for core competencies or competitive advantage) is intricately linked to critical vulnerability precisely because human nature often blinds us to true weakness because we see only the strength of our design. Once they find that critical vulnerability, they take every opportunity they can to exploit it. What distinguishes their actions are their choice of targets and their legality. Their methods are, nonetheless, the same. They approach the problem with discipline, dedication, and caution. When they find a target worth attacking, they marshal resources, align forces to ensure interlocking (but not overlapping) fields of fire, and they begin to attack. And, succeed or fail, attacks on illegal targets are just criminal behavior.
Let’s change the approach to something that undermines their own sense of self-importance. Choose not to give them fancy titles or associate them to slick looking imagery. They’re rats. They crawl around in virtual dark spaces, scatter when the lights are turned on, attack each other when no other targets are around, and sacrifice each other when threatened. If a moniker or image must be assigned to give people a target to think of, then call them something more appropriate and link our individual imagery processing centers to something more akin to the behavior of skulking scavengers. Even The Nazgul were more honorable than most criminals.
This blog is primarily a way for me to collect and share thoughts about cybersecurity, my profession for over 20 years. Since I also like to write, I’ve organized it by the haikus that I’ve written (in the order written and published on LinkedIn and various other social media outlets). I enlisted in the Marine Corps as a Morse Code Interceptor in May 1995. Throughout my initial schooling, I was introduced to two critical foundations of information security: binary language and cryptology. After initial training I reported to Officer Candidate School in September 1996. Upon completion of initial officer training, I reported to Communications Information Systems Officers Course, which reinforced lessons learned in the cryptanalysis training and fostered a deeper understanding of networks as a whole. For three years, I applied these lessons on numerous deployments throughout the Far East, managing the installation of various types of networks for numerous exercises. In February 2001, after completing my initial active duty contract with the Marine Corps, I accepted a job at Booz Allen Hamilton. While working as a government contractor, I worked on satellite communications projects at Headquarters Marine Corps (HQMC) C4 and United States Pacific Command J6. When I reported to HQMC Manpower and Reserve Affairs (M&RA), I led a software development and securing of a large-scale ERP with over 100 spin-off supporting applications. Subsequently, I served at 4th Marine Division as the AC/S G-6 managed the RMF (formerly DITSCAP/DIACAP) integration of over 40 remote, temporary connections to the Marine Corps Enterprise Network. At every duty station since becoming a communications officer, I have been directly involved in securing networks. While in Japan I focused on deployed networks throughout Asia. Later I worked on securing networks in Southwest Asia and as the Information Assurance Officer for Manpower and Reserve Affairs. I’ve worked on cyber workforce development policy for the Reserve component while on the Joint Staff and at Marine Forces Reserve. What I’m truly passionate about is the art of articulating information technology requirements to C-level leadership both inside the Department of Defense and in commercial industry. As a career cyber security Marine, I see the next great challenge as keeping the population informed on current and emerging threats and wants to devote his professional life to teaching others in that area. My certifications include CISSP, GSLC and Security+. I earned a Bachelor of Arts degree in Spanish from DePauw University in Greencastle, Indiana and a Master of Arts in Romance Languages from University of New Orleans. Through my experience and higher education, I also enjoy mentoring other technical professionals and those who aspire to greater technical expertise in Spanish and French as well as English. I live in Covington, LA with my wife Nedra and our spoiled pack of wild hounds: Rex, Reina, Hogan and Henry. View all posts by John Keenan
Originally published at http://johnkeenanoncybersecurity.wordpress.com on January 27, 2020.