Whilst the common person will largely link the words “hacker/hackers” to criminal the reality is hackers are scientists/artists/creators/ComputerOperators and the choice of being a criminal or not is down to actions and consequences. So the debate about if you identify as “hacker” does that make you a criminal, well it’s nonsense isn’t it. I could call myself a pony but it won’t make me one, much like I could call myself a criminal and I could be entirely law abiding.
I think we as society have problems with the above concepts because they are complex, contextual, nuanced etc.
I think we also have problems in society with the reality of what lots of Cyber Security professionals do in the course of their work (this would cover personal researchers/academics/students/employed professionals in public and private sectors etc.)
Working in cyber security in the majority of practioner roles places you in a crime adjacent position.
You are affected by the actions of threat actors (including criminals)
You work with victims of cybercrime
You PREPARE and PREVENT cybercrime in a vast array of roles (I’m talking about outside of Law Enforcement roles)
You PROTECT people, your colleagues, customers, business partners, friends family (and the wider world sometimes) etc.
You support Law Enforcement PURSUING criminals
I’ve drawn up some brief notes on activities that someone might conduct as part of a cyber practioner role such as:
- SECOPS Analyst
- Threat Intelligence Analyst
- Penetration Testing
- Incident Responder
- Digital Forensics Specialist
That list and the one below is far from exhaustive but I think the reality is that modern CRIME FIGHTING in a digital world is simply so far away from it’s physical counterparts, yet laws, perceptions and practice’s largely are slow to adapt. Technology pace, scale and access is hugely disruptive to traditional “NORMS” and societies seem to both be resistant to change but also resistant to the notations of the true hybrid nature of how societies actually function in reality.
People say all kinds of odd things like “you only work in IT so your opinion is not valid to security” this is also nonsense.
In IT you might:
- Define Security Policy
- Plan, Design, Build, Operate security capabilities such as:
- Permitter Defenses (Firewalls/IDS/IPS)
- Mail Security Services
- You may organize (SCOPE and AUTHORISE) penetration testing
- You might conduct security testing
- You might manage or contribute to risk govenance/management
- You will almost certainly be patching
- You will be leading or supporing incident response activiies
- You will almost certainly be operating the backup and recovery solutions
This might seem like a tangent but what I’m getting at here is that there are MANY MANY people involved in fighting cybercrime. There are lots of people who are exposed to and leverage data from breaches, from criminally operated infrastructure, from COLLECT activities etc.
It should however be fairly obvious that without context and understanding this might be confusing for people. Let’s take the following example “fictional scenario”
- I search for malware
- I download malware
- I write software that can be used for malicious activity
- I download breach data
- I hang on chats with criminals
- I have burner phones
- I use deception
- I conduct country/global internet discovery exercises
Am I a criminal or am I a cybersecurity crime fighter?
The UK Government is reviewing the Computer Misuse Act 1990, it has a consultation open, please respond if you are involved in defending people and organizations against cybercrime!