This article originally appeared in the June edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.
Bryan McAninch grew up with very few computers around him. He was poor, but remembers always having something to tinker with. He also had a supportive grandfather – a secondary school science and maths teacher. One Saturday morning in 1984 McAninch’s grandfather sat him down, aged eight, in front of an Apple IIe in the school lab with a ‘choose your own adventure’ programming book.
“I was hooked like a fish,” McAninch says. “From then on I was in technology. I got into phone phreaking. I got into what we would consider an 80s ‘true’ hacking scene.”
McAninch developed an interest in Linux systems, which led him to networking and eventually network security. He’s worked in penetration testing, incident response, and cloud security. Hacking has become more than a job for McAninch.
“It's not a fashion statement or a movie character,” he says. “It's an identity. And it's something that's really deeply rooted in my own personal character.”
The vilification of hackers
A year before McAninch started coding, film company MGM released WarGames. The film tells the fictional story of a young hacker who, by accident, infiltrates a North American Aerospace Defense Command (NORAD) computer and initiates a World War Three-type situation.
Three years later, in 1986, US President Ronald Regan’s administration introduced the Computer Fraud and Abuse Act (CFAA), which was followed in the UK by the introduction of the Computer Misuse Act (CMA) in 1990. Both pieces of legislation limited hackers’ legal authority to penetrate computer systems. It was this legislation, according to McAninch, that marked the beginning of the world’s vilification of hackers.
Alyssa Miller, business information security officer at S&P Global Ratings, thinks the public’s overall impression of hackers has become distorted.
“Hacking isn’t just cyber criminal activity,” she says. “If you look back at the history of hacking, it comes back to innovators who take technology, tear it apart, figure out how it works, and then improve upon it. Unfortunately, because of things that have happened over the last 30 years or so, the cyber criminals get all of the media attention.”
Media organisations often use the word ‘hacker’ to refer to cyber criminals (IT Pro is, admittedly, also guilty of this). This frustrates many white hats who would prefer to be separated from the criminal side of the industry. Miller believes positive intentions are intrinsic to the role of a hacker and that we should avoid calling anyone else a hacker at all.
“All the work that's happening out there from people like me, Bryan (McAninch), and all the others in this community, kind of gets lost,” explains Miller, “and we become part of this almost clandestine community that people don't really understand and are often afraid of.”
This misunderstanding affects more than hackers’ identities. A spokesperson for the UK’s National Cyber Security Centre (NCSC) tells IT Pro it may contribute to the industry skills gap.
“We are aware that stereotyping can sometimes hold people back from applying for cyber-security job roles,” the spokesperson says. “However, there is a lot of work being done by both Government and industry to address diversity and the cyber-skills gap.”
Despite these warm words, after 30 years of vilification, McAninch decided it was time to do something.
The start of Hacking is NOT a Crime
McAninch was attracted to other subcultures in his youth, so alongside computers he also spent a lot of time skateboarding. With no money to build a ramp or rail in his backyard, like many others, he relied on public stairs and embankments to perform tricks on.
Aberdeen Report: How a platform approach to security monitoring initiatives adds value
Integration, orchestration, analytics, automation, and the need for speed
The police would harass him and his friends in an attempt to stop them and, after a while, stickers bearing the words ‘Skateboarding is NOT a Crime’ appeared. It was the skateboarding community’s response to rules it felt were unfair.
Decades later McAninch was chatting to Dustin Dykes, founder of the Dallas Hackers Association, at a local meetup. Both were frustrated with the media’s mischaracterisation of the hacker identity. McAninch had an epiphany.
He made a small graphic with the words ‘Hacking is NOT a Crime’, uploaded it to Sticker Mule, and printed 500 copies of the sticker. It was summer 2018 and security conference Def Con 26 was about to happen, so he handed them out to attendees. They were so popular he took 5,000 to the following year’s event. Since then, Hacking is Not a Crime, or HINAC as it has come to be known, has expanded at a rapid pace. It had 1,500 Twitter followers in August last year. Now it has 15,300.
The movement has grown from a simple stickering campaign to lectures and community outreach. Its international network of 109 advocates across six continents and 21 countries now includes Argentina, China and Pakistan.
More than words
HINAC has come to represent a movement with a much wider scope than the reductionist language often used in the media. It’s about changing the entire public’s perception of hacking and the cyber-security community. McAninch believes that, through this, governments can be convinced to improve legislation like the CFAA and the CMA that create unnecessary barriers for security professionals.
Miller says her CIO once received an email from a hacker when she was working in financial technology. The hacker was disclosing a vulnerability in the company’s online bill payment site, and the CIO’s first reaction was to call lawyers – Miller had to talk him out of it. It’s this type of treatment, which the likes of HINAC say is the result of a distorted public image, that bug-bounty hunters and researchers alike want to change. In fact, 80% of cyber-security professionals in the UK are worried about breaking the law because of the CMA.
McAninch says: “We're advocating global legal reform for security researchers so we can provide them some assurance that when they disclose any sort of privacy or security vulnerabilities, they're not going to receive some sort of legal retaliation.
“As we become more dependent on technology, so too is our security and privacy. So if there's no one out there proactively trying to identify these privacy and security vulnerabilities, the true bad guys are going to do it.”
There is hope for white hats like McAninch and Miller; in the UK, home secretary Priti Patel has announced a formal review of the CMA, for example. But it will take time for the industry to adjust its language and, as with all things, action must follow.
