Information, Communication & Society 5:3 2002

336356

THE MYTH OF THE COMPUTER HACKER

Reid Skibell

New York, USA

The seriousness of computer hacking is not exaggerated, it is far worse than that. The computer hacker has attained the status of myth; society associates all computer crime with a mythical perpetrator that bears no resemblance to reality. This paper will argue that in the early stages of the myth the computer hacker was regarded as a highly skilled but mentally disturbed youth who has an unhealthy association with computers. The new reality of electronic commerce resulted in pressures that culminated in the computer hacker becoming regarded as a dangerous criminal. A thorough analysis of the statistics will demonstrate that the majority of computer intruders are neither dangerous nor highly skilled, and thus nothing like the mythical hacker.
Keywords

Abstract

hacker, hacking, computer security, information warfare, computer virus, identity fraud

Bobby was a cowboy. Bobby was a cracksman, a burglar, casing mankinds extended electronic nervous system, rustling data and credit in the crowded matrix, monochrome nonspace where the only stars are dense concentrations of information. (William Gibson, Neuromancer)

INTRODUCTION: THE COWBOY

The rhetoric of computer security continues to be grossly saturated with dire predictions of catastrophe, echoing an endless amount of similar doomsday scenarios. The tone of the writing certainly suggests that the threat is exaggerated, however more telling is an interesting incongruity embedded in the doomsayer argument. The rhetoric surrounding computer hacking consistently reinforces the potentially catastrophic economic and national security threats posed by malevolent intruders, and at the same time attaches the subject of this threat to young, obsessive, self-trained computer a cionados. This raises the fundamental question: how can self-trained teenagers be a match for the security devised by governments and corporations that are literally willing to spend billions of dollars
Information, Communication & Society ISSN 1369-118X print/ISSN 1468-4462 online 2002 Taylor & Francis Ltd http://www.tandf.co.uk/journals DOI: 10.1080/13691180210159292

TH E

M YTH

OF

THE

COM PUTER

H ACKER

safeguarding computer systems and cracking down on computer criminals? There is too much at stake for the subject of computer intrusions to be legitimate, and this is what prompted this papers search for the archetypal hacker. Admittedly, this search is not a conventional one, and the real purpose of the attempt is to show that the hacker only exists in the social consciousness, functioning much like the delusion of a generation agos Red Threat. This is not to suggest that computer intrusions are not occurring or that computer security should not be an issue, anymore than one would suggest that the Rosenbergs did not pass sensitive US information to the Soviet Union. Instead, this paper will seek to demonstrate that the computer hacker that society assumes is the principle threat is nothing more than a mirage, and that a revaluation of the dangers to computer security needs to be undertaken before sensible policy can emerge.
NATURE OF MYTH

Myth is a very strange linguistic creature, and to understand the birth of the mythical computer hacker it is necessary to begin with a sketch of its characteristics. The thinker Roland Barthes provides an important framework for understanding the dynamics of myths by his insight that they function as two semiotic systems that have been stacked upon each other. In semiotic terms, Barthes argues that myths are constituted by a lower order sign that functions as the signi er in a larger sign. He calls this lower order sign the language-object, because it is the language that myth gets a hold of to build its own system; and the second sign he calls meta-language, because it speaks about the rst. In a famous example, he turns his analysis on a magazine cover that shows a young Black African in a French military uniform saluting. In the lower order sign, the picture is the signi er and the signi ed is the actual solider, where in the second order sign the signi er is the original sign and the signi ed is a potent mixture of French nationalism and militarism (Barthes 1985). What is interesting is the relationship between the signi ed of the rst sign and the signi ed of the second sign. The actual African is not able to stand on its own as a signi ed, or that which is expressed, indeed he only has meaning because of the meta-language of French nationalism; the Black African does not really exist in the speci c sense that French nationalism constructs him, but here he is adorning the cover of a magazine all the same. This is the reason that Barthes describes myth as a form of language-robbery, in that myths create and shape symbols to express their particular meaning (Barthes 1985). The idea of robbery is interesting in that Barthes appears to imply that the higher order sign so completely obscures the meaning of the lower order sign that it effectively
337

REID

SKIBELL

decentres the original signi ed from the meaning of the new sign. The implication is that there is no connection between the African solider of the magazine cover and a real African solider in Algeria; the signi ed of French nationalism is all that exists and it is impossible to trace the signifier back to its original signified. In terms of this proposed study of computer hackers, the conclusion would seem to be that the last thing that we should study is the computer hacker himself. The real, or original hacker, is so completely obliterated by the forces that would utilize him as a symbol that it is simply too dif cult and rather useless to search for this creature. Reading through the hyperbole lled manifestos of the computer security industry with names like Cybershock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Destruction or Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves, one can quickly despair that indeed this may be a meaningless search. However, there is a reluctance to completely jettison a notion of the real hacker, because there is evidence of traces, mere shadows of his form and thus to completely ignore him risks missing out on a crucial piece of evidence. A solution provided itself in James Liszkas understanding of the relationship between the myth and the myth-object:
Myths in particular are transvaluation of the rules and concepts which structurate the economic, social, political, and cosmic fabric of a culture; they are not simply a window through which one views those values, however they also provide a set of lenses which focus, distort, obscure, and distance the culture of which the myth is a part. That is, truly speaking, myths are transvaluative processes par excellence, that much in the way in which Freud recognized dreams as transvaluative, displacing representations of the psychic condition. (Liszka 1989: 15)

Liszkas insight is that the signi ed of the language-object exists as a confused and befuddled abstraction of the signi ed of the meta-language, but one that is still readable in the same sense that interpreting dreams can help to understand the psyche. The difference between Liszka and Barthes is not really a major distinction as so much a matter of emphasis. Liszkas view is that the language-object is not necessarily an empty signi er, but is instead a sign that once had its own meaning but whose meaning has been altered and continues to change through a re exive process that projects external meaning onto it. In these terms, the languageobject of this myth is not necessarily the hacker, but the generalized form of the computer criminal that breaks into systems. Through a process of displacement, a meta-language has been created that gives the computer criminal a signi cance that is the modern notion of the hacker. In order to test this hypothesis of the computer hacker as a myth, this paper will attempt to tear it apart as a normal order sign: locating the gap between the
338

TH E

M YTH

OF

THE

COM PUTER

H ACKER

signi er, the contemporary notion of the computer hacker, vs. that which should be its proper signified, the actual computer criminal. Admittedly, this is a problem- lled venture, as this approach is predicated on being able to accurately de ne two abstract representations: one that obscurely dwells in reality and one that only exists in the social consciousness. This papers de nition of the actual computer criminal is based on a close reading of computer crime statistics, which are supposed to be a factual portrayal of the type of attacks that are occurring. Statistics are far from objective, but they are also the most complete abstraction of the actual state of computer crime. Ironically, in looking at how the raw data is manipulated by those attempting to justify a serious hacker threat it is possible to see just how substantial the gap is between the mythical hacker and actual computer criminals. It is the cracks and gaps that will prove to be the most compelling evidence that the real computer criminal is far different from the supposed one. Identifying something as ephemeral as the social construction of the computer hacker is an even more dif cult task, and most works on the subject avoid this question by taking the definition as a given or relying on experts namely self-proclaimed hackers or members of the computer security industry. This paper will begin with the assumption that social constructions do not emerge fully mature, they have a history that is the key to understanding them. As Liszkas reformulation emphasized, this is particularly true of myths where it is impossible to separate them from the process of displacement that gave them life. Consequently, the rst half of the paper will trace how the myth has developed in order to more fully understand the social signi cance of the term. This historical analysis should demonstrate that in the early 1980s there was a relationship between signifier, the computer hacker, and signified, the actual computer criminal however, the two soon decoupled as hacking became an issue in the public consciousness. This explanation of how the myth was formed will rely on the work of Michel Foucault, and specifically his understanding of discursive formation. Rather than digressing into a full discussion of Foucaults thought, which is available in great detail in other places, it will be assumed that the reader has some familiarity with his work. In The Archaeology of Knowledge, Foucault reconsiders his earlier project of Madness and Civilization and argues that the emergence of a discipline is not isolated to changes in one field of knowledge, but rather that its claim to legitimacy, and thus its authority, cut across many elds (Foucault 1972a). This is exactly what happened with computer hacking, where the concept was constituted by knowledge in a variety of disciplines and texts, and also projected knowledge back onto them. There is a matrix of overlapping knowledge
339

REID

SKIBELL

relationships that becomes evident when considering the computer hacker historically. This thumbnail sketch of twenty years of history will not be conclusive by any means, but it should show the broad characteristics of the myth and the forces that created it. These characteristics are the mental image of the hacker that the public possesses, and they will either by con rmed or undercut by considering the statistics on computer attacks.
SHALL WE PLAY A GAME? WOPR THE COMPUTER FROM W A R G A M ES

The story of computer hacking begins with the rise of the personal computer and the migration of carefully controlled computing resources from the laboratory or the large organization into the home of private individuals. The rst ones to exploit the full uses of these new computers were not adults who were too busy working and too set in their ways but adolescents with the creative energy to delve into this new world of computers, modems and bulletin boards. These early digital pioneers soon learned that this new world could be quite expensive for ones phone bill, but a solution presented itself in the form of friendly advice from other early residents of computer bulletin boards, the phone phreaks. Phone phreaks knew how to manipulate the many bugs and glitches in the US phone network and were happy to have a new audience to boast of their exploits. This meeting of phone outlaw and inquisitive computer mind was the primeval union that gave us the modern computer hacker. The early underground community was relatively small and fairly benign. Essentially, it involved a small number of youths trading pirated copies of computer games and discussing ways to get free phone calls (Sterling 1993). The catalyst that invigorated the early computer underground was the release of the movie War Games in 1983, as Bruce Sterling relates:
And with the 1983 release of the hacker-thriller movie War Games, the scene exploded. It seemed that every kid in America had demanded and gotten a modem for Christmas. Most of these dabbler wannabes put their modems in the attic after a few weeks . . . But some stubborn and talented diehards had this hacker kid in War Games gured for a happening dude. They simply could not rest until they had contacted the underground or, failing that, created their own . . . underground boards sprang up like digital fungi. (Sterling 1993: 36)

Not only did the movie strengthen and energize the hacker community, but it also gave them a vision, an ethos. The likeable young hacker in the movie is far more knowledgeable than the bumbling adults and it is this knowledge that gives him
340

TH E

M YTH

OF

THE

COM PUTER

H ACKER

power and authority over them, helps him get the girl and, in the end, averts nuclear catastrophe. The idea that knowledge could give them such power was an extremely appealing message to adolescents that felt powerless because of their age, or those that somehow did not feel they belonged within their own peer groups. By reaching out into the digital world, they were able to nd a community that shared their fears and, perhaps more importantly, they discovered a forum in which they could command respect and authority. The avenue to respect within the community was to demonstrate skill and daring that others could not match. Where phone-phreaking had mostly been a tool, breaking into systems now became the ends to demonstrate to others that one had the skill to penetrate into even the most forbidden of computer systems. Simple stealing, vandalism and destruction of information were generally frowned upon as beneath hackers, as being the province of real criminals (Sterling 1993; Roush 1995; Taylor 1998). The game, the rush, the power was the hack itself. War Games is important in not only how it catalysed the hacker culture, but also in being the first time that the general public was exposed to the idea of the computer hacker. In 1983, the average person in society had little knowledge about the intricacies of personal computers and almost certainly had no contact with an actual member of the computer underground. Hollinger and LanzaKaduce (1988) report that in polls prior to the movie computer crime barely registers as an area of public concern. The movie helped problematize computer hacking as an issue, and just as the underground exploded in the wake of the movie, so did stories about them. However, rather than dying the natural death of most items of public attention, the publics fascination with computer crime continued and even intensi ed after this initial wave of stories (Hollinger and Lanza-Kaduce 1988). There was something about the issue that struck a chord with the collective conscious of the adult population and made it a newsworthy story, even if there was little tangible damage outside of free riding on the phone system. However, what was even more interesting than the continued existence of stories about computer crime, was a crucial change in the content. Sometime in the mid-1980s, the damage ceased being the work of individuals armed with a computer or telephone and became the work of hackers . This is the point at which Liszkas description of myths as a transvaluative expression of a societys fears begins to make sense in terms of hacking, and thus when the myth starts to take shape. What emerges in the mid-1980s is a de nite mental image of the computer hacker and a discourse surrounding him that goes far beyond the limited computer underground. Before certain characteristics can be attributed to a deviant group, they must have a certain degree of cohesion as a group. Consequently, the rst step in the
341

REID

SKIBELL

creation of the computer hacker as a social entity was the attachment of characteristics that were unique to them as a group. These characteristics were not germane to the crimes, for not everyone that might try to break-in to a compute system is necessarily a hacker, but rather they were part of the eld of knowledge that surrounded prototypical hacker behaviour. In Discipline & Punish, Foucault establishes that the key break with early notions of punishment is the necessity of not just punishing the body, but of attacking the criminal soul of the guilty. He argues that social science discourses, such as psychology, became entangled with the practice and operation of the punishment system (Foucault 1977). These discourses posited the criminal as an object of study, as being formed and constructed, and hence the possibility of being rehabilitated through various techniques. In the case of computer hackers, there emerged a distinct psychological discourse that branded them as the product of a pathological addiction to computers. Not only do hackers break into computer systems, but they do it by spending prolonged periods locked away in messy rooms in front of computer screens while their mentally healthy peers are engaging in all the social behaviour of normal adolescents. Within the psychological literature, it became accepted that such behaviour should be classified as a disorder, where the hacker has a wish to escape from the contingencies of the real world in order to revel in the hygienic safety offered by the computer (Taylor 1998: 44). Evidence for how accepted this psychological explanation became can be found in the large number of times that computer criminals successfully used mental disturbance as a mitigating factor in order to receive probation with counselling instead of jail time (Pfuhl 1987). The impetus for computer hacking to be treated as a psychological disorder can be read as part of a general movement within punishment, but this description does not provide a complete explanation .The early hacker court cases also show the legal system being especially harsh on computer hackers, especially in the trials of Kevin Poulsen and Kevin Mitnick. The judge ruled in the Poulsen case that a condition of his parole was that he was not allowed in the same room as a computer, even one without a modem connection. Similarly, prosecutors were so fearful of Kevin Mitnick that they would not allow him to have access to a stand-alone computer even to examine the 8 gigabytes of evidence they were going to use against him in court. He was even denied access to a phone, the judge believing that, with a phone and a whistle, Mitnick could set off a nuclear attack (Sirius 2000). These irrational fears demonstrate how willing people were to believe that hackers possess unbounded, almost magical powers with computers. This belief that their almost organic connection to their computers gives hackers unlimited powers to break into systems is the second major identifiable
342

TH E

M YTH

OF

THE

COM PUTER

H ACKER

characteristic of computer hackers and is why hacking became such a public concern. The investment of hackers with magical powers can be traced to how society reacted to the rapid spread of personal computers. Early computers were not very sophisticated or powerful, but the potential of them for was readily apparent. Adolescents were able not only to understand computers far easier than adults were, but they were also able to do it in a more natural and unforced way. The implication was that the carefully developed authority and power of the adult population was threatened by this new generation that could manipulate computers. Hackers became the embodiment of this more general fear, as Hafner and Markoff explain:
These hackers are signi cant because of what our fear of them says about our unease with new technologies . . . For many in this country, hackers have become the new magicians: they have mastered the machines that control modern life. This is a time of transition, a time when young people are comfortable with a new technology that intimidates their elders. Its not surprising that parents . . . often panic when confronted with something they believe is too complicated to understand. (Hafner and Markoff 1991: 11)

To return to Liszka, the computer hacker was an ideal projection of societys fears about new technology and, as a representation of this fear, hackers are idealized to have exaggerated powers with computers. Computer hackers become a cautionary image, a mythic tale, to both remind youngsters of the dangers of spending too much time with computers and to reassure adults that this is a treatable malady. By defining hacking as a psychological disorder, their power was contextualized; their prowess is the result of inner weakness and not something to be envied. At this stage, the hacker embodies power and powerlessness, immature teenagers with almost magical skills to disrupt society.
THE SHIFTING IMAGE OF THE COMPUTER HACKER

The codification of the hacker as a category was soon followed by some fundamental changes in its characteristics. Given that the public had little direct contact with computer hackers, their image was particularly susceptible to shifts in public perception. This tendency has been well established, particularly in studies of how McCarthyism was able to take hold of the USA in the 1950s (Edelman 1967; Zaller 1992). The impetus for this shift was the rapid social and technological change in the mid-1980s to the early 1990s that changed the way
343

REID

SKIBELL

that public perceived the personal computer. The PC began to infiltrate the workplace and as more people began using computers, it became increasingly dif cult to sustain the view that spending too much time with them is a disorder. Additionally, the tremendous monetary successes by entrepreneurs within the computer and Internet industries severely undercut the notion that computer prowess is directly related to deviance. The increasing computerization of society also had a related impact on the myth, as it increased both the potential losses from computer crime and the number of businesses that could be exposed to those losses. Businesses responded to this perceived increased risk from hackers by demanding legal intervention, thus helping to shift hacking from a nuisance to a crime. This shift in social perception is evident in, and was, in turn, in uenced by, the rst major crackdown on computer crime, Operation Sundevil in 1990. Sundevil was distinct from earlier prosecutions of computer crime in both its scope and ethos. The Secret Service carried out raids all over the country, seizing forty computers and 23,000 floppy disks. The raids intimidated even those operating bulletin boards that were not catering to the digital underground, and there was a mass of board shutdowns (Sterling 1993). The raids were well co-ordinated, with agents busting into suburban homes with guns drawn to issue search warrants on 14-year old kids running computer bulletin boards. In the trials themselves the government was determined that the accused would see jail-time, and argued that the hackers worked in close united co-operation and threatened the integrity of the US phone service. While the 1986 Computer Fraud and Abuse Act is the principal federal statute relating to computer crime, in the cases relating to Sundevil the government charged the accused also under federal racketeering laws, which were designed to combat organized crime. Operation Sundevil was the very beginning, and the crackdown on computer crime continued if not intensi ed. As online commerce became more important, the threat of computer criminals became a much larger threat to businesses and, therefore, there was greater pressure to contain it. Lessig provides an excellent summary of the forces that lead to the demonization of the hacker as a criminal:
It didnt take much to see that this world would not survive for long. This community of people who thought it fair to test the locks, enter someone elses machine if they could, and snoop their file structure this community was not going to mesh with a Net where commerce could survive. It may have been ne to play these games in a world of geeks, but when money came online a better system of security was inevitable. As these cultures came into con ict, realspace law quickly took sides. Law worked ruthlessly to kill a certain kind of online community. The law made the hackers behaviour a crime, and the government took aggressive steps to
344

TH E

M YTH

OF

THE

COM PUTER

H ACKER

combat it. A few prominent and well-publicised cases were used to redefine the hackers harmless behaviour into what the law would call criminal. The law thus erased any ambiguity about the good in hacking. (Lessing 1999: 156)

While Lessig adeptly explains how the governments approach to computer crime impacted the view of the hacker, his analysis tells only part of the story. As Foucaults work emphasized, discursive changes do not happen in just one eld of knowledge, but are connected to other fields that provide the mutually reinforcing basis for new authoritative changes. The movement of computer hacker from disturbed youth to dangerous criminal was accompanied by two other signi cant social changes, which help explain how this shift occurred. The emergence of the computer crime industry was accompanied by the creation of an authoritative voice that had a significant monetary interest in a public fear of computer hacker: the computer security industry. A sense of the size of the computer security industry is evident in the projection by the International Data Corporation that the security software market will grow from $2 billion to $7.4 billion by 2003, and the security hardware market will grow from $500 million to $1.9 billion in the same timeframe (Power and Beeson 2000). To put these numbers in perspective, Sterling found when researching his 1993 book that there was virtually no private industry the government and phone companies were completely responsible for computer security (Sterling 1993). If the threat of attacks from determined and sophisticated hackers did not exist, then there would be little justi cation for such large and rapid growth in those peddling counter-measures to stop them. The industry played a crucial role in the codifying of the myth, in the Foucauldian sense, of the hacker as a criminal. With the fading power of the psychological explanation for computer hacking, there was nothing to hold computer hackers together as a coherent group, or correspondingly computer crime as a speci c area of law enforcement. This gap was lled by the computer security industry, which provided new experts to argue for the importance of addressing computer crime as a separate problem. The industry has done this by pressuring for, and succeeding in getting passed, legislation that would deal speci cally with the problem of computer crime (Hollinger and Lanza-Kaduce 1988; Taylor 1998). The industry also invests a great deal of resources in spreading public information that reinforces the danger from hackers, especially related to the manufacturing of malevolent viruses. For example, the industry has regularly released reports arguing that there are between 30,000 and 50,000 viruses in circulation, when in reality most of these have never infected a computer and only 200 are in general circulation (Leyden 2001). These types of reports were
345

REID

SKIBELL

reprinted in the media and entered into the record at government hearings, cementing the representatives of the industry as authorities and spreading misleading information. What was opinion became entrenched as fact, and the viewpoint of self-interested business attained the status of originating from experts in this eld of knowledge. The industry has consistently argued that the computer sector of the economy is so important and so vulnerable to malicious attacks, that a hardline stance is the only possible defence. They advocate an image of hackers as a cohesive and coordinated social group with a dangerous agenda, and do not recognize distinctions between different types of attackers, as Taylor notes:
The computer security industry shows a marked reluctance to differentiate between responsible hackers and vandals. Instead, it tends to emphasise the more malicious and destructive elements of hacking, and distinctions between malevolent and harmless browsing are played down. There are thus strong pressures to treat all hacking activities as criminal, which the computer underground argues results in Draconian legislation that fails to deal with the security weaknesses which still remain (Taylor 1998: 123)

Instead of the deviant who is compulsively drawn to their computer, the industry focused on the hacker as openly choosing to enter into the digital underground, and this was a criminally motivated decision. However, this new branding of the hacker as a criminal was not imposed by any single entity, but rather was formed by a network of actors including hackers themselves. They were complicitous in their own branding as criminals, and in many ways helped create the public personae that the industry thrived on and used to justify their own expertise. A year after War Games was released came the second major cultural symbol relating to computer hackers, with the publication of William Gibsons Neuromancer. Gibsons book did not make the immediate impact of the movie, but its influence has continued to build and the book is more popular than ever. Neuromancer, with its exhilarating tales of jacking into cyberspace, is credited with creating the cyberpunk genre within science ction. The image of the hacker presented is of a rebel, who attains power and status because of his superior intellect and computing skills. Neuromancers, and other books and lms within the genre, impact did not change the nature of the activity as much as the ethos in which is it was carried out. Taylor argues that while hackers adopted provocative handles this does not mean that they started to engage in a signi cantly larger number of criminal activities. Criminal activities and malicious cracking still existed within the underground, but this remained a fairly small portion of the
346

TH E

M YTH

OF

THE

COM PUTER

H ACKER

overall community (Taylor 1998). Instead, the anonymity of cyberspace and the computer illiteracy of the general public allowed hackers to role-play as dangerous underground cyber criminals. An example of this type of masquerading is provided by Barlow, describing his physical encounter with two hackers he met other the Internet:
[They] were well scrubbed and fashionably clad. They looked to be as dangerous as ducks. But . . . as . . . the media have discovered to their delight, the boys had developed distinctly showier personae for their rambles through cyberspace. Glittering with spikes of binary chrome, they strode past the klieg lights and into the digital distance. There they would be outlaws. It was only a matter of time before they started to believe themselves as bad as they sounded. And no time at all before everyone else did. (Barlow 1990)

As Edelmans earlier words emphasized, most people have no contact with computer hackers and when experts are spinning a story of computer crime which matches up with the image that hackers themselves are portraying, it was only a matter of time before the cyberpunk-dangerous criminal image became cemented in the public consciousness.
STATISTICAL SUPPORT FOR THE HACKER MYTH

This investigation has sketched a broad image of the computer hacker; the mental image that is inseparable from the word itself. The criminal hacker still possesses elements of the original myth, as part of the danger of the hacker is their almost magical skills with computers. However, the hacker has become an underground criminal, who infused with ideology of the cyberpunk threatens to disrupt any and all systems. The next step in this investigation is to return to the real, to delve into the raw data concerning hackers and computer crime and to see if there is realistic support for the existence of this type of computer criminal. The gap between the real and the construction of the hacker is where the myth must exist, if the real suggests that the representation is valid then the hacker may be an abstraction from the real, but not a myth. The best approximation of the genuine size and scope of the problem of computer crime is the statistics collected on the subject. There are those that argue that a signi cant and active hacker population exists, which would seem to suggest that the current image of the hacker might not be so inaccurate. For example, Randoll Nichols, Daniel Ryan and Julie Ryan reference a number of studies to show the potential size of the computer criminal problem, including
347

REID

SKIBELL

one by the Computer Security Institute and the FBIs Computer Crime Division that demonstrated that half of 5,000 companies, federal institutions and universities interviewed had experienced security breaches within the last twelve months. They also cite one of the most in uential reports on computer crime, the study by the US Department of Defense stating that there were 250,000 attacks against DoD systems in 1995 and the number is doubling each year. Of the 250,000 attacks, the report claims that 65 per cent were successful against what should be one of the worlds most secure computer systems (Nichols et al. 2000). The narrative that encompasses these numbers is that computer hackers are highly skilled and capable of breaking into even well defended computer system. The fact that hackers are targeting leading commercial institutions seems to indicate that whether it is for malicious reasons or for pro t, hackers are a legitimate threat to electronic commerce. The DoD estimate is especially important, since it highlights that computer hacking is not childs play and that it forms a legitimate threat to national security. In this sense, the well-quoted numbers tie hacking back into the plot of War Games and tap into the newfound American fear of domestic terrorism. The criminal element of the hacker myth is also strongly reinforced by large estimates of damage from attacks by hackers. Nichols et al. quote a number of studies that demonstrate very sizeable estimates of losses that American companies and the United States Federal Government have suffered from computer crime. Perhaps most disturbing is the estimate they reference from Barbara D. Ritchey at the University of Houston, whose research indicates that computer crimes account for losses of $1 billion annually (Nichols et al. 2000). Another frequently cited statistic is the estimate from the Computer Security Institute, which reports that in the three years that it has been conducting its survey of US businesses and institutions (19972000) respondents have reported over $626 million in losses, which is still supposed to be substantially underreported (Power and Beeson 2000). The extent of the monetary damage wreaked by hackers serves to justify that they are possessed of a marked degree of criminal wantonness. These large estimates form the basis for genuinely absurd comments like that of the British MP who claimed:
They make a great deal of money out of it and the German hackers, at any rate, support a drug-based lifestyle on their activities. I was about to say, enjoy, but I should certainly not enjoy a lifestyle based on drugs. Because drugs are expensive, hackers need to make a great deal of money to support their lifestyle. (Taylor 1998: 133)

This type of condemnation, this moralizing demonization of the computer hacker,

348

TH E

M YTH

OF

THE

COM PUTER

H ACKER

may not be created by these gures of monetary losses, but they do provide the framework and justi cation.
LIES, DAMN LIES, AND STATISTICS MARK TWAIN

The statistics outlined above are illustrative of how the mainstream discourse on computer hacking justi es the extent of the danger. They are the proof that a sizeable and sophisticated hacker population exists, and working in co-operation threatens to maliciously attack systems and damage the public interest. However, there are solid reasons to doubt the validity of this interpretation. As the earlier words from Lawrence Lessig underscored, the full power of the law has come down on the side of computer security and has created strong disincentives to computer crime. The rise of electronic commerce and the absolute necessity of the Internet staying secure for financial transactions have also lead to rapid advances in computer security and greater awareness of the threat. On this issue, Roush notes that the once glaring security weaknesses that let hackers traipse through supposedly secure systems have been largely xed (Roush 1995). This does not mean that there are still not signi cant bugs within software, but failsafes and rewalls give a layered protection that makes it nearly impossible for hackers to access crucial data. Howards statistical breakdown of reported Internet attacks from 19891995 seems to confirm this common sense approach. His analysis demonstrates that there are far fewer attacks than popularly thought and the vast majority of attacks were nothing more than nuisances (Howard 1997). The disjunction between the common sense approach and the numbers used by those arguing for a signi cant hacker threat calls for a greater consideration of exactly how the computer crime statistics are generated. The 1995 DOD report is one of the most widely cited examples that computer crime is a substantial problem. However, Grossman makes the point that a close reading of the report indicates that the gure is based on a post facto Defense Information Systems Agency (DISA) study, but for the year 1995 there were only 559 of cially reported attacks (Grossman 1997). According to the DISA numbers, there should have been 165,520 successful attacks, yet the people monitoring the DoD information systems at the time of the incidents only reported 559 total attacks. Clearly, there was a great discrepancy between what the investigators at DISA thought met the criteria for an attack and what the front line system operators thought was suf ciently serious to warrant being counted as an of cial attack. This discrepancy is further reinforced by John Howards point that a similar study conducted in 1995 by the Air Force Information Warfare
349

REID

SKIBELL

Center found 1,248 attacks with about one in eight being reported (Howard 1997). Given the substantial differences between the number of attacks reported on two very similar systems and the rate of incidents reported, Howard sees many reasons to doubt the validity of the DISA report. Howard argues that the research carried out by the DISA was lacking in professional rigor and concludes that a con ict of interest with regard to funding might have tainted the ndings (Howard 1997). The difference between reported and assessed attacks on the DOD systems is explained by the problem of how to de ne an attack. One of the administrators who furnished data for the DISA report, Kevin Ziese, admits that the numbers are artificially inflated by the reports broad definition of attack. Instead of evaluating the number of bytes of information accessed compared to total system resources, the report simply de ned an attack as any unauthorized attempt to access a system, including everything from a fumbled log-ins to simplistic probing of the system (Smith 1998). If the Pentagon were assessing the vulnerability of a physical entity, like a military base, it is doubtful that they would treat the curiosity inspired trespassing of a passer-by in the same manner as an attack by a well-equipped and highly skilled terrorist organization. Probing, where there is no intent to damage the system, or even download information, is arguably so benign that it is not a genuine attack. Duff and Gardiner argue that this distinction between unauthorized access that causes harm and that which does not has been long recognized within the law, but is ignored by those that catalogue computer crime. This tendency goes well beyond the DISA estimates, and is part of a general trend that con ates all attacks upon computer systems as equivalent and, consequently, it is too easy to subsume all activities within a criminal umbrella which makes no distinction between those merely involved in unauthorised access and real criminal acts (Duff and Gardiner 1996: 222). Their point reinforces Taylors argument that the security industry attempts to blur any distinction between attacks, and always emphasizes criminal attacks. By grouping attacks together, the statistics make it seem that there are a large number of criminal assaults upon systems, ignoring the reality that most of these attacks are completely harmless. By grouping attacks together, the large numbers make it appear that hackers are suf ciently skilled to at their will crack into systems. However, most hackers have limited computer skills, and the logs of attacked sites regularly show very basic errors, like attackers trying to type in UNIX commands on non-UNIX systems (Computer Fraud & Security 1999). Instead of using skill or intellect to penetrate systems, most attacks are carried out by unsophisticated users that download simple tools from the Internet. For example, the most popular type of
350

TH E

M YTH

OF

THE

COM PUTER

H ACKER

computer intrusion is denial-of-service attacks, wherein a program is downloaded and then passed on to other computers to infect them via e-mail. These computers are turned into sleeping zombies that can be awoken and in unison directed to swamp Internet sites with request for service, overloading their servers and bringing traf c to a standstill. This is what transpired in a recent wave of attacks against major US Internet sites. The amount of skill involved in such in operation is negligible and hardly ts with the public image of computer hackers as wizards. Goldstein effectively makes this point when he writes:
So far, the corporate media has done a very bad job covering this story, blaming hackers and in the next sentence admitting they have no idea whos behind it. Since the ability to run a program (which is all this is) does not require any hacking skills, claiming that hackers are behind it indicates some sort of knowledge of the motives and people involved. This could be the work of someone who lost their life savings to electronic commerce. Or maybe its the work of communists. It could even be corporate America itself! After all, who would be better served by a further denigration of the hacker image with more restrictions on individual liberties? (Goldstein 2000)

While DNS attacks can have signi cant impact upon corporations, they are so easy to carry out that they should not be de ned as hacking. When simple probing and unskilled attacks are subtracted from the total amount of computer attacks, there are few attacks that match the public conception of the term and illustrate how the unpacked statistics undercut the myth of the skilled hacker. The discourse that defines hackers as criminals is in large part based on the signi cant estimates of damage that they cause. There are two basic areas of which hackers have been charged with in icting signi cant monetary damage: fraud and proprietary theft. Fraud, especially the stealing of credit card numbers or other personal information, is the publics most basic fears about computer hackers (Beale 2000). The fear is that hackers could capture the information as it is transferred, or break into a companys system and steal a le of passwords and break the encryption. To accomplish either of these tasks would take a level of skill, organization and computing power that is simply beyond the capabilities of the vast majority of computer hackers. In addition, most hackers would have little interest in this data, as they are generally more interested in the kick or buzz of conquering a system then in pursuing nancial or political goals (Roush 1995; Taylor 1998). The result is that there is negligible amount of fraud that can be attributed to computer hackers. For example, there has never been a single reported case of a credit card being sniffed, or stolen, in transit (Lombardi 2000). Furthermore, a study by Business Week found that online fraud amounts to only 0.05 per cent of total credit card fraud, a rather minute portion of the
351

REID

SKIBELL

$700 million each year lost in the USA through other low-tech means (Lombardi 2000). The stealing of proprietary data or the malicious destruction of it is also far less of a problem than has been commonly thought. The easiest way to gain access to a system is through its Internet site, but most of a companys critical data is embedded within the internal architecture and is secured by protective rewalls. An important demonstration of this point comes from Martin Caminadas study of corporate attacks in The Netherlands, which is unique in the clarity of information he was ability to solicit from attacked companies. Caminada found that the impact of successful attacks was often nothing more than a nuisance, precisely because intruders were con ned to the data available on the website (Caminada 1999). His study also found additional suppor t for the belief that hackers are not interested in nancial data, as he writes: Not a single responding organisation mentions incidents in which the perpetrator has read or modi ed any truly sensitive data, such as customer les or nancial data (Caminada 1999: 429). Another reason that the estimates of nancial losses from computer crime are not reliable is that they are extremely dif cult to independently verify and thus estimates are based on figures provided by the companies themselves. These estimates may be exaggerated for insurance purposes or to vengefully punish the accused attacker. Banisair notes on this point that the structure of the federal sentencing guidelines provides strong incentives for companies to list sizeable damages from attacks. He argues that they have arti cially in ated the impact of attacks by listing the complete cost for developing a piece of software that was stolen, rather than listing the actual damage (Banisair 1999). For example, in the Mitnick case the source code for Suns Solaris operating system was stolen; however, Mitnick had no intention of selling or altering the code. Little actual damage was done to Sun, above embarrassment, yet this did not stop them from arguing that the damage he did was equal to what they paid for the software, or $80 million (Banisair 1999). Interestingly enough, Sun never reported the loss to the IRS or to its shareholders, casting serious doubt upon the validity of the gure (Thomas 1999). Mitnicks example is not an isolated one, as prosecutors have broad scope to de ne damages in a given case. Sterling reports in the cases originating from Operation Sundevil defendants were charged with causing signi cant monetary damage for copying data as trophies. The most telling example is the case of Craig Neidorf, accused of printing a sensitive phone company document causing the equivalent of $80,000 in damages. During the course of the trial, it surfaced that the exact same information was available mail order from the phone company for $13 (Sterling 1993).
352

TH E

M YTH

OF

THE

COM PUTER

H ACKER

The tendency to con ate all computer attacks as equivalent is also part of the reason that hackers have been held responsible for such large economic losses. Insider attacks are more closely related to embezzlement or insider trading than to computer hacking, but they are grouped with computer crime because of the criminal medium. The public and the media do not effectively discriminate between different types of computer crime and incorrectly assume that the estimates of damage are only talking about the external break-ins that are the realm of the hacker. Comparatively, insiders are a far greater threat than external attacks. They have knowledge about security system that makes them far more likely to be able to penetrate the security around sensitive information than external attackers. In addition, insiders know what the data is truly worth and have a far greater possibility of selling the data because of their contacts within the industry (Hamin 2000). Additionally, the insider may have stronger motivations, whether it is the simple temptation of having access valuable data, or some perceived slight at the way they have been treated (Shaw et al. 1998).
CONCLUSION

The purpose of this paper was to put forth an argument that served to provide a different perspective from the normal doomsayer rhetoric. This argument is not a conclusive one by any means and more detailed study needs to be undertaken but it has been able to demonstrate certain key points. The hacker is popularly understood to possess sophisticated computer skills and represents a threat because of his desire to use these skills in the pursuit of criminal wrongdoing. However, the reality is that few computer hackers possess sufficient skills or desire to commit more than nuisance crimes. This disjunction between hacker signi ed and the signi ed of the actual computer criminal is indicative that the computer hacker has reached the symbolic level to be classi ed as a myth. This is an important realization, in that this myth has a number of real world implications. The myth of the hacker is wasting valuable resources, as energy and nances are devoted to devising ways to stop external attacks. More effective security could be fostered if in developing new technologies there was a focus on the hacker as an unsophisticated user of generic tools, and if corporate security resources where shifted towards internal threats. Furthermore, the myth is leading to overly punitive measures being taken against those who are guilty of nothing more than harmless browsing. Fear of hackers is also restricting electronic commerce, and measures to crackdown on hackers are damaging a culture of openness on the Internet. There are also signs that the myth is taking
353

REID

SKIBELL

on a new guise, with the rise of information warfare rhetoric and stories of hackers working for international organized crime. As a transvaluative expression, this is an all too realistic and problematic next stage in the hacker myth, and represents a powerful reason for beginning a reappraisal of the nature of the computer hacker.
Reid Skibell 554 W. 114th St New York, NY USA

REFERENCES

Banasair, D. (1999) Computer Hackers Sentence Spotlights High-Tech Crime Prosecutions, Criminal Justice Weekly, 3 August. Available online: http://www.epic.org/epic/staff/banisar/hacker.html Barlow, J. P. (1990) Crime & Puzzlement, Whole Earth Review, Fall: 4457. Available online: http://www.eff.org/pub/Publications/John_Perry_Barlow/HTML/crime _and_puzzlement_1.html Barthes, R. (1985) Mythologies, trans. Annette Lavers, London: Paladin. Beale, M. (2000) Report: Many Consumers Still Fear E-Commerce, E-Commerce Times, 3 August. Available online: http://www.ecommercetimes.com/perl/story/?id=1053 Caminada, M., van de Riet, R. P., Van Zanten, A. and van Doorn, L. (1998) Internet security incidents, a survey within Dutch organizations, Computers & Security , 17: 41733. Computer Fraud & Security (1999) Hackers, Crackers and Phreakers Oh My!, Editorial, Computer Fraud & Security , March: 1819. Duff, L. and Gardiner, S. (1996) Computer crime in the global village: strategies for control and regulation in defence of the hacker, International Journal of Sociology of Law, 24: 21128. Edelman, M. (1967) The Symbolic Uses of Politics , Chicago: University of Illinois Press. Foucault, M. (1972a) The archaeology of knowledge, trans. A.M. Sheridan Smith, in The Archaeology of Knowledge & The Discourse on Language, New York: Pantheon Books. Foucault, M. (1972b) The discourse on language, trans. Rupert Swyer, in The Archaeology of Knowledge & The Discourse on Language, New York: Pantheon Books. Foucault, M. (1977) Discipline & Punish: The Birth of the Prison, trans. Alan Sheridan, New York: Vintage Books. Goldstein, E. (2000) Hackers to Blame, Doubtful, 2600: Hacker Quarterly News, 9 February. Available online: http://www.2600.com/news/2000/0209.html
354

TH E

M YTH

OF

THE

COM PUTER

H ACKER

Grossman, W. M. (1997) Net.wars , New York: New York University Press. Hafner, K. and Markkoff, J. (1991) Cyberpunk: Outlaws and Hackers on the Computer Frontier, London: Fourth Estate Limited. Hamin, Z. (2000), Insider cyber-threats: problems and perspectives, International Review of Law Computers & Technology, 14: 10513. Hollinger, R. C. and Lanza-Kaduce, L. (1988) The process of criminalization: the case of computer crime Laws, Criminology, 26: 10126. Howard, J. D. (1997) An Analysis of Security Incidents On The Internet 19891995, Carngie Mellon Phd in Philosophy. Available online: http://www.cert.org/research/JHThesis/Start.html Lessig, L. (1999) Code and other Laws of Cyberspace, New York: Basic Books. Leyden, J. (2001) Stop the Antivirus Vendor Hype The Register, June 3, available at: http://www.theregister.co.uk/content/archive/17372.html Liszka, J. J. (1989) The Semiotic of Myth: A Critical Study of the Symbol, Bloomington, IN: Indiana University Press. Lombardi, R. (2000) Dispelling the Myth on Internet Security Issues, Price, Waterhouse, Coopers Online. Available online: http://www.pwcglobal.com/8525669400473143/ 0/6BEE38F53D4872 E38525680300524FC0?Open&Highlight=2,hackers Nichols, R. K., Ryan, D. J. and Ryan, J. J. (2000) Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves, New York: McGraw-Hill. Pfuhl, E. H. Jr (1987), Computer abuse: problems of instrumental control, Deviant Behavior, 8: 11330. Power, R. and Beeson, C. (2000) 2000 CSI/FBI Computer Crime and Security Survey, Computer Security Issues & Trends , Spring: 116. Roush, W. (1995) Hackers: Taking a Byte Out of Computer Crime, Technology Review, April. Available online: http://www.techreview.com/articles/apr95/Roush-text.html Schwartau, W. (2000) Cybershock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorists and Weapons of Mass Destruction, New York: Thunders Mouth Press. Shaw, E., Ruby, K. G. and Post, J. M. (1998) The insider threat to information systems: the psychology of the dangerous insider, Security Awareness Bulletin , 2: 110. Sirius, R. U. (2000) Superhacker Kevin Mitnick: Menace to Fear or Rogue to Love?, Village Voice, 22 February, Westlaw. Smith, G. (1998) An Info-Warrior Wheels, Netly News Network, 28 January. Available online: http://sun.soci.niu.edu/~crypt/other/zienet.htm Smith, G. (2000) The Cant of Idiots: Usage of the wake-up call in Computer Security and Technology Reporting, Crypt Newsletter, November. Available online: http://www.soci.nio.edu/~crypt/other.cant.htm Sterling, B. (1993) The Hacker Crackdown: Law and Disorder on the Electronic Frontier, New York: Penguin Books.
355

REID

SKIBELL

Taylor, P. A. (1998) Hackers: Crime in the Digital Sublime, London: Routledge. Thomas, D. (1999) How Much Damage Did Mitnick Do?, Wired, 5 May. Available online: http://www.wired.com.news.politics/0,283,19488,00.html Zaller, J. R. (1992) The Nature and Origins of Mass Opinion, Cambridge: University of Cambridge Press.

356