27 May 2011
Media commentators on cyber security are prone to bouts of hysteria. And I say this as a media commentator on cyber security. Stuxnet! Hackers! Zeus! The Sky is Falling! You get the picture.
But exactly how scared should we be? In his novel 1984, George Orwell advanced the case that the state benefits by keeping its populace cowed and fearful. Leaving aside debates on non-virtual forms of terrorism, is cyber-fear the natural evolution of Orwell's dystopian vision?
The latest piece of scare-mail to fall into my inbox warned that anyone can learn to be a hacker in 15 minutes. Free hacking tools are available on the net, as are free tutorials on how to use them (the search term ‘hacking tutorials for beginners' returns over 126,000 results on You Tube).
‘Crime doesn't pay' is a fairly well known phrase, but I've never heard anyone suggest the small amendment: ‘Cyber-crime doesn't pay'. And that's because it does. It's quick, it's easy, it's lucrative and you probably won't get caught.
So perhaps I'm right to be scared, and occasionally hysterical (in the bad sense). Literally anyone with fingers and a keyboard can be a hacker. So why don't more people take cyber crime up as a profession? Do hackers not have a presence at graduate fairs? Are malware authors not invited into schools on careers day?
I'm not suggesting it's a dying profession, but I am perhaps questioning how scared we need to be of the casual villain – someone who finds him or herself with a spare half hour and decides to drain my bank of funds (good luck with both of my pounds).
I performed a quick and definitely scientific survey of my Computing colleagues to find out why they don't transform themselves into masters of the criminal underworld.
Interestingly fear of prosecution wasn't high on the list of reasons for staying on the relatively straight and narrow (speeding and library fines notwithstanding). But then lots of cyber criminals go about their careers without ever suffering any legal complications, so perhaps that's reasonable.
Ethical concerns were mentioned, but only after I said; "So you're not worried about the ethics?" So I don't think it counts as an especially valid explanation. I told you it was scientific.
In fact there were two principal themes that emerged as reasons for not turning to cyber crime. The first? Inertia. Even 15 minutes of training still counts as re-education. And swapping careers is notoriously stressful. Is that a comforting thought? Many people won't turn to cybercrime because they're already a postman / bank clerk / astronaut and they can't be bothered to retrain. I suppose in a way it is.
But the main reason for ignoring the internet's scarcely hidden treasures? Computers. Technical frustrations.
And I think that's a very good point. Think of every piece of software you've ever used for the first time. Was it utterly intuitive? Was the process completely without technical hitch or glitch? Or did it make you want to drive your fist through the screen?
The simplest and most intuitive computer I ever used was my first, a Sinclair ZX Spectrium 48k. And its metal casing had a row of bite marks below the little rubber keys where I'd let my frustrations get the better of me one morning.
A few months ago I was treated to a demonstration of a free Zeus-like hacking tool from McAfee. They trained me, and a few other journalists in how to create and disseminate our own malware.
I'm reasonably technically competent, but still had to be walked through some of the stages several times. At one point even my instructor got confused and had to call the director of McAfee research over for second line support.
The point is, hacking isn't that simple. Yes, free tools are out there. Yes, we should protect ourselves online and exercise both common sense and caution. But no, most people will not learn how to execute complex hacking manoeuvres in 15 minutes. Let's save our fear for the real bad guys.