In Russia and China they support their hacker communities no matter how criminal they might be, because they understand the importance of nurturing talent within their cybersecurity communities, and they have become skilled at leveraging that talent.

A Better Approach

We in the West take a different tack, we rightly support responsible disclosure, but we demonize hacking for criminal gain and I believe that we have this the right way round. But no matter how many times we tell our private and public sectors that hacking is not a crime, they continue to attack security researchers for responsibly disclosing the vulnerabilities they find. Not only do we not tolerate organized criminal cyber groups, we do not much tolerate legitimate security researchers either.

Penalizing responsible disclosure is a wonderful way to tell a generation of those who hack that they are unwanted and unloved. We need to stop doing that by doubling down on our cultural inclination to support hackers in our society. Nobody is suggesting that we support criminality, but lets stop panicking when hackers find holes in our security, and penalizing those who hack to help us understand our weaknesses.

We need legislation in place to protect those who hack while they hone their skills, we can no longer afford to demonize the hacker community, not if we expect to count on their support when it matters. We need a legal framework to enable our hacker communities to flourish in this new world we find ourselves in, we need the confidence of those communities over the long term for the good of national security.

Cyberwar 2022

The Cyberwar of 2022 made one thing clear, volunteer hacker communities can form an important part of nation state cyber operations. American, British, Canadian, and Australian hacker communities stand ready to hack when the cause is just, but they lack the protection that comes with a legal framework for enabling them to volunteer their services. The cyberwar has accidentally criminalized half of our own cybersecurity industry by default, this is not sustainable and it cannot stand.

Russia spilled cyberwar over the general publics breakfast table through articles in their newspapers. While the public may have been vaguely aware that a cyber war has been rumbling in the distance for a long time, now they all know that our hackers rallied to the banner of Ukraine and they support them.

Of course they support our hackers, why wouldn't they?

Those currently engaged in volunteer cyber operations in support of Ukraine are predominently Western information security professionals, the people we pay to protect our organizations, institutions, and data. We call these people systems administrators, IT managers, security researchers, threat intelligence analysts, SOC staffers, hackers, and their numbers include the students in our universities studying cybersecurity.

They deserve our support. None of them has been paid to participate, they all jumped at the chance to volunteer, but few of them stopped to think that what they were doing might be illegal. When all you have ever known is the right side of the law, it can sometimes be quite difficult to see that you might be breaking it, this is doubly so in times of cyber war. These people deserve our support and protection.

We Are all Hacktivists Now

None of us saw it coming, but its quite true. We are all hacktivists now, even those of us who are not directly involved quietly support the work of our peers. For the most part, the cybersecurity industry is united behind the idea that our volunteers are doing nothing wrong in helping Ukraine defend against Russia. Remember that these are the people who have had to deal with endless cyber attacks originating from Russia and China for the last decade, they have not ever been able to 'hack back', because hacking has always been a crime and they aren't criminals.

Suddenly hacking is not a crime providing it is directed towards Russia, our young are gaining real world cyber conflict experience and I can happily report that things are as they should be. For too long we have tolerated our adversaries pillaging the intellectual property of our public and private sectors, for too long our poltical leadership has done nothing as our adversaries allowed cyber crime groups within their borders to inflict huge damage on American and British businesses.

The direct result of this is that we are all hacktivists now, we are all complicit through the silent support that we show our collegues as they volunteer their skills and talents in support of Ukraine. We understand that elements of our political and business leadership are impotent in the face of Russian/Chino elite capture and we understand that hacking for criminal gain must remain a criminal affair, but as a community we can not accept criminalization as a reward for volunteering in times of cyber war.

As long as this situation persists, our industry will remain quiet, none of us will see evil, hear evil or speak evil, and the exploits of those who hack will remain in the dark.

Hacking Is Not A Crime

For longer than I care to remember the word hacker has been used to portray cyber criminals who commit unethical technical acts. You can understand this definition given the highly organized gangs of cyber criminals out there, but the problem with this cultural definition of the word hacker is that all of the good hackers, the security researchers engaged in legitimate research, get put in the same box as the bad hackers, the ones we in cybersecurity call 'threat actors'.

This is all just a cultural misunderstanding, being a 'hacker' is much more about mindset than criminal activities. A hacker is someone who is curious about security, and who believes that by testing the security of a thing, they can improve its security. These people are naturally curious, creative thinkers, able to devise technical solutions to complex security problems, the process they use to solve these complex security problems is called hacking. With the right mindset, anyone can be a hacker.

A cyber criminal engages in hacking for malicious or criminal gain, but a real hacker does not. It is the motive and intent of a hacker that really sets them apart from the cyber criminals, hackers explore technical systems to solve security problems, but cyber criminals seek to exploit these opportunities for personal gain.

We need to stop treating hackers as if they are criminals and enact policy reform to enshrine the legitimate role they play within a legal framework, providing protections for security researchers engaged in good faith responsible disclosure.

This is the way.