Mikko Hypponen CRO F-Secure
We’ve all heard about mainstream hacking cases over the last years, with companies like Sony Pictures or Linkedin becoming victims of hackers. At many companies, computer security became – at least briefly – a board level topic. But the discussion around hacking risks is often confused, and one of the reasons is that people don’t know who they are talking about when they are talking about hackers.
Most people probably don’t know any hackers. But they probably have an idea about what one looks like. The image of someone sitting alone at a computer, with their face obscured by a hoodie, staring intently at lines of code in which their particular brand of crime or mischief is rooted, has become widely associated with hackers. You can confirm this by simply doing an image search for “hackers” and seeing what you come up with.
After 25 years of researching hackers, I’ve decided that this picture is distorting how people need to see today’s threats. It makes some very misleading implications about the adversaries that people, businesses, and especially cyber security companies need to focus on. We have no hope of defending ourselves if we don’t know who the attackers are. It’s a mistake to take the old “hacker-in-a-hoodie” stereotype and think it applies to the threats we’re facing today.
Why do we delude ourselves into hackers wear hoodies like they’re some kind of uniform? When I see the hacker-in-a hoodie, I feel like I’m being lead to believe that hackers work in isolation. And that hacking is a hobby one indulges in when they’re not working or studying. My takeaway from this image is that hackers are portrayed as pursuing a casual interest rather than working to achieve goals. But the idea that such unprofessional adversaries are responsible for things like Stuxnet or ransomware is incredibly naïve. Why don’t we see pictures of hackers wearing a suit and tie? Or a cardigan?
Hacking is now a marketable skill that’s commodified as products and services, and sold to criminals, companies, and even governments. Hackers now have their own networks, both technical and social, that they use to buy, sell, and trade hacking services and malicious software. They pool resources and coordinate efforts, giving threats far greater capabilities than any individual hacker could develop on their own.
Silicon valley has started to use the ‘Unicorn’ term to describe a private tech company that is valued at over a billion dollars – companies like Uber, Airbnb or Dropbox. So the question is: do we already have Cybercrime Unicorns? And the answer is that we just might.