Let me say up front that when I mean hackers, I am specifically referring to people that intend to intrude into computer systems with the only intent of intruding into the system. I am not referring to people with clear criminal or malicious intent. These are people that say they do it for the sake of curiosity and to learn. I do not buy into this argument. There are laws that clearly define an uninvited attempt to even access a computer as a crime. While some people may argue if it should be a law, the point is irrelevant. These hackers generally seem to obey the law, and tend to be good students, the type that cause parents to be proud. Why then do they commit these computer related crimes as an obsession?

I believe the issue goes back to how they are raised. I am not saying that these people have bad parents. I contend that while parents go around telling their children not to do drugs, to study hard in school, etc., they do not tell their children that it is bad to break into computer systems. Parents don't think of discussing it. This leaves teenagers to learn the morals of computer hacking on the streets, and in this case, cyberspace. They learn about hacking on bulletin boards, chat lines, etc. Are there established experts in the field on these forums to discuss the moral issues of hacking? Clearly not, they don't have the time or desire to associate with these people. The hackers therefore learn their morals from other hackers.

The hacker morality has been developed over the years to be self-serving in justifying their actions. Newcomers to the community learn the morality by associating with established hackers. There is a desire to impress each other, and there is an awe about their heroes, such as the Legion of Doom and the Masters of Deception. Are their heroes criminals? Not to the hackers. They are political prisoners for "knowing to much," or at least that is what everyone is telling them. There are no established security experts visible to the general population to let the hackers know the actual damage that these people created or the real criminal actions that they committed.

Hackers also do not know about the costs associated with their actions. All studies indicate that hackers are generally young, and do not have full-time jobs or own property. They do not consider that if they do get into a system and make an unintentional, simple mistake, they could cost the company thousands, and possibly millions, of dollars. I would dare say that every computer professional, including the best, have made a mistake that has caused the loss of data, service or money. Hackers have never been in a real situation to understand this issue. They do not know what a System Administrator is faced with on a day-to-day basis, and neither do they realize the extent of the problem they cause for already overworked people. They also do not comprehend that a company detecting an intrusion must investigate to see the extent of it. This has a cost of thousands of dollars associated with it.

Hacker morality says investigating intrusions is a cost of doing business, and it is the company's fault for having poor security. Hackers, as individuals, have never had to balance limited resources themselves, and cannot empathize with others.

There is also a more threatening aspect of hacker morality; there are many variations of it. Some hackers believe that it is all right to punish people and companies that they do not like, while others find the action reprehensible. Others believe that it is all right to steal money and resources, if it goes to support hacker actions. This is very dangerous. Even though many hackers might disagree with these types of actions, they will not "snitch" on others, which is considered the most reprehensible thing that a hacker could ever do. In my opinion, all of these attitudes come from the same source; a morality that is learned from other hackers, without role models from the legitimate information security community.

While it is wrong to stereotype hackers as evil people with malicious criminal intentions, they cannot be stereotyped as benevolent freedom fighters as the hackers like to see themselves. Hackers must also realize that the actions of criminals will always reflect poorly on the hacker community as a whole, until the hacker community tries to police itself, which will never happen. Their actions are by definition, criminal. They can suffer repercussions, which include being criminally prosecuted and ostracized by the information security community.

The information security profession must also be more visible in a way that gets children, before the hacker community gets them. Hacking can be very exciting for a teenager who can be considered a hero by others. Somehow the profession must get together to teach parents and schools that they must teach their children about hacking, before somebody else does.

The ideas expressed here are the author's alone. If you have any thoughts or comments on them, feel free to write winkler@ncsa.com.